Unauthorized user can manipulate status of issues in public projects

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2877710 by pwnie on 2024-12-04, assigned to @ottilia_westerlund:

Report | How To Reproduce

Report

Summary

The ProcessCommitWorker function automatically closes issues mentioned in commit messages. This behavior is vulnerable because it uses the commit author to determine the user closing the issue, and commit authors can be spoofed. By forging a commit with the victim's email, attackers can close issues in public projects without authorization.

Steps to Reproduce

Create a Target Issue:
- Log in as a victim user and create an issue in a public project.
Prepare the Attack:
- Log in as an attacker.
- Clone a repository you own:
```
git clone YOUR_REPO_URL  
cd YOUR_REPO  
```
Forge a Commit:
- Add any file to the repository:
```
touch foobar  
git add foobar  
```
- Commit with the victim’s email and a message referencing the target issue:
```
git commit --author="Victim <VICTIM_EMAIL_HERE>" -m "Close https://gitlab.com/VICTIM/PROJECT/-/issues/ID"  
```
- Replace:
  - VICTIM_EMAIL_HERE with the victim's email address.
  - https://gitlab.com/VICTIM/PROJECT/-/issues/ID with the link to the target issue.
Push the Malicious Commit:
- Push the changes to your repository:
```
git push origin main  
```
Observe that the issue in the victim's project is automatically closed.

Impact

This vulnerability allows an attacker to arbitrarily close issues in public projects without authorization. Since ProcessCommitWorker relies solely on the commit author field, which is easily spoofed, attackers can impersonate any user to exploit this behavior. This could lead to confusion, disruption of project workflows, and abuse of public repositories.

Impact

Close arbitrary issues.

How To Reproduce

Please add reproducibility information to this section: