Guest with custom `Admin group member` permissions can approve the users invitation despite user caps (#475056) · Issues · GitLab.org / GitLab

Guest with custom `Admin group member` permissions can approve the users invitation despite user caps

:warning: **Please read [the process](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/developer.md) on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.** **[HackerOne report #2602274](https://hackerone.com/reports/2602274)** by `ashish_r_padelkar` on 2024-07-15, assigned to `GitLab Team`: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report ##### Summary Hello, The user cap here `https://gitlab.com/groups/<groupName>/-/edit#js-permissions-settings` allows owners to setup the maximum numbers of allowed members in a group. If any non owners such as Guest with custom `Admin group member` permissions adds the members, they need to be approved by group owners only. However, the non group owners ( eg Guest with custom `Admin group member` ) too can approve this pending members above user cap using this vulnerability. ##### Steps to reproduce 1. As a group owner, set your maximum user cap as `2` at `https://gitlab.com/groups/groupjune2024/-/edit#js-permissions-settings` under `user cap` and save. 2.Create a custom role here `https://gitlab.com/groups/groupjune2024/-/settings/roles_and_permissions` with `Guest` as basic role and `Admin group member` permissions. Named this as `GuestAdminMember`. 3.Add a user `UserB` here at `https://gitlab.com/groups/groupjune2024/-/group_members` with `GuestAdminMember` role. 4.Login as `UserB` and go to `https://gitlab.com/groups/groupjune2024/-/group_members`. 5. Invite a new gitlab member (Existing user). 6.They are not automatically added and will reside under `Pending invitations` tab. You will also see a message like below. ![Screenshot_2024-07-15_at_1.40.36_PM.png](https://h1.sec.gitlab.net/a/4023b20d-e2c6-404e-a661-3c0f04cc8a4f/Screenshot_2024-07-15_at_1.40.36_PM.png) 7.Only group owners are allowed to approve these types of users at `https://gitlab.com/groups/groupjune2024/-/usage_quotas/pending_members`. 8.As a `UserB`, copy your `Cookie` and `X-Csrf-Token` and replace it in below request. ``` PUT /api/v4/groups/89036276/members/107619688/approve HTTP/2 Host: gitlab.com Cookie: <Replace_Your_Cookie> Content-Length: 0 Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126" X-Csrf-Token: <Replace_Your_Token> Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Sec-Ch-Ua-Arch: "arm" Sec-Ch-Ua-Full-Version: "126.0.6478.127" Accept: application/json, text/plain, */* Sec-Ch-Ua-Platform-Version: "13.2.1" X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Bitness: "64" Baggage: sentry-environment=gprd,sentry-release=efd75b0e35b,sentry-public_key=f5573e26de8f4293b285e556c35dfd6e,sentry-trace_id=10db2c32dec44573ad24be6d49f72bb6,sentry-sample_rate=0.05,sentry-transaction=groups%3Ausage_quotas%3Apending_members,sentry-sampled=false Sec-Ch-Ua-Model: "" Sec-Ch-Ua-Full-Version-List: "Not/A)Brand";v="8.0.0.0", "Chromium";v="126.0.6478.127", "Google Chrome";v="126.0.6478.127" Sentry-Trace: 10db2c32dec44573ad24be6d49f72bb6-ad57d8996519dd28-0 Sec-Ch-Ua-Platform: "macOS" Origin: https://gitlab.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://gitlab.com/groups/groupjune2024/-/usage_quotas/pending_members Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Priority: u=1, i ``` Here `107619688` is the member ID which you can obtain from response of `https://gitlab.com/groups/groupjune2024/-/group_members?tab=invited`. Just look for in HTML response with invite array. For POC, you can just copy from owners view for quickly reproducing this if. For `Cookie `and `X-Csrf-Token` , you can copy this value of from `Remove Member` request as a `UserB` . 9.Send the request and you should see `HTTP/2 204 No Content` response. Go back to `https://gitlab.com/groups/groupjune2024/-/group_members` and you should see user is approved. ##### What is the current *bug* behavior? Guest with custom permissions can approve the pending invites despite user caps. ##### What is the expected *correct* behavior? Only group owners should be allowed to approve. ##### Output of checks This bug happens on GitLab.com Regards, Ashish #### Impact Guest with custom `Admin group member` permissions can approve the users invitation despite user caps ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [Screenshot_2024-07-15_at_1.40.36_PM.png](https://h1.sec.gitlab.net/a/4023b20d-e2c6-404e-a661-3c0f04cc8a4f/Screenshot_2024-07-15_at_1.40.36_PM.png) ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues

issue