:warning: **Please read [the process](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/developer.md) on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.** **[HackerOne report #2058121](https://hackerone.com/reports/2058121)** by `theluci` on 2023-07-08, assigned to @kmorrison1: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report Hello, #### Background Gitlab provides a feature to create a [fork of a project](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html). When you create a [fork of a project using UI](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html#create-a-fork), you become the owner of the **forked project** or **downstream project**. That is, only the owner of a project can create the fork relationship between the downstream project and upstream project. Similarly, only the owner of a project can [Remove fork relationship](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html#unlink-a-fork). When using API as well, according to the [docs](https://docs.gitlab.com/ee/api/projects.html#fork-relationship), only the project owners and administrators can **Create a fork relationship between existing projects** as well as **Delete an existing fork relationship**.  #### Vulnerability According to [docs](https://docs.gitlab.com/ee/api/projects.html#fork-relationship), only the project owners and administrators can **Create a fork relationship between existing projects**.  **However, the above is not enforced and a Maintainer can create a fork relationship between existing projects.** This behaviour is contradictory to what happens when using UI as well as contradictory to what should happen according to docs. #### Steps to reproduce 1. `victim` creates a group `victim-group` and a project `victim-project` inside. 2. `victim` goes to `victim-project` membership page, `https://gitlab.com/<victim-group>/<victim-project>/-/project_members` and adds `attacker` as *maintainer*. 3. `attacker` creates a **personal project** `attacker-project`. 4. `attacker` goes to his terminal and runs the following command, ``` curl --request POST --header "PRIVATE-TOKEN: <access_token>" "https://gitlab.com/api/v4/projects/<victim_project_ID>/fork/<attacker_project_ID>" ``` `attacker` was able to create a fork relationship between `victim-project` and `attacker-project` contrary to documentation. *(`victim-project` as the **downstream project** and `attacker-project` as the **upstream project**)* Please note that above `attacker` created a fork relationship between `victim-project` and `attacker-project`. However, it isn’t necessary, `attacker` can create a fork relationship between `victim-project` and any project `attacker` has access to, including public projects. #### POC  #### Output of checks This bug happens on GitLab.com (Probably on instance too). #### Impact Maintainer can create a fork relationship between existing projects contrary to documentation ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [7july-5.png](https://h1.sec.gitlab.net/a/f9f880a1-298b-463c-833a-979dab69acff/7july-5.png) * [7july-6.png](https://h1.sec.gitlab.net/a/7e71eb8c-8430-4c60-aee7-fa280b87ccab/7july-6.png) * [8july-video2.mp4](https://h1.sec.gitlab.net/a/448f43a3-b788-4897-b527-fa853a96b95b/8july-video2.mp4) ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues