A group member who joined by requesting access can access group without setting up 2FA despite group Requires 2FA on all members
HackerOne report #2919391 by salh4ckr on 2025-01-01, assigned to @ngeorge1:
Report | Attachments | How To Reproduce
Report
Summary
Hello, Happy new Year,
Gitlab has a group protection option that restricts access to only members with 2fa enabled on their accounts, [more here] 1
but i found weird behavior where this 2fa enforcement do not apply to members who self requested access to a group.
Steps to reproduce
As OWNER
-
Create Group A and apply ultimate trial
-
Go to Group A settings (-/edit#js-permissions-settings) and Enable option called "All users in this group must set up two-factor authentication"
As User 1
-
Go to https://gitlab.com/groups/Group A
-
Click on 3 dots on right corner and click on Request access
As OWNER
-
Go to groupA/-/group_members and click on Access requests and accept User
-
Add user 2 as a member, so Now your group has 2 members.
As User1
- Go to Group A you will see that you have access on a group
As User 2
- Go to Group A you will see that you don't have until you setup 2FA
Video
What is the current bug behavior?
2FA enforcement on group does not apply to group members who joined a group by requesting access
What is the expected correct behavior?
2FA enforcement should applies to all group members
Impact
A group member who joined by requesting access can access group without setting up 2FA, this put a group at risks of unauthorized access even if owner protected his/her group by requiring 2fa before accessing a group.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: