Commite Access to Project due to bypass of recommended email regex!

HackerOne report #631879 by ngalog on 2019-06-29, assigned to gitlab_cmaxim:

Summary

The recommended regex of commiter author's email is like this Example: @my-company.com$
It forgot to escape the dot. In normal situation this is fine, however if the user used subdomain of the email address, then this could be bypassed as below.

Commiter Authori's email regex: @sub.company.com$

user1@sub.company.com -> pass  
user1@subacompany.com -> also pass the regex  

Steps to reproduce:

Visit https://gitlab.com/:project/-/settings/repository and you should see the recommended regex of email could be bypassed.

Impact

This allow user to use other email address to bypass the commitor's email address. Unauthoirzed change to project source code.

What is the current bug behavior?

recommended regex is @sub.company.com$

What is the expected correct behavior?

should be @sub\.company\.com$

Relevant logs and/or screenshots

Output of checks

GitLab.com and EE and CE of 12.0

Impact

.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screen_Shot_2019-06-29_at_4.40.46_PM.png

added HackerOne priority2 security severity2 labels

Confirmed. This one is similar to an issue fixed 2 months ago: https://gitlab.com/gitlab-org/gitlab-ce/issues/58031

/cc @eread @jeremy

added groupauthentication and authorization [DEPRECATED] label

changed due date to September 23, 2019

assigned to @jeremy

This security issue has no milestone with dates.

Assigning the group PM according to the group:: label. Please set a milestone with dates, thanks!
(Feel free to unassign yourself after setting the milestone.)

More information: https://gitlab.com/gitlab-com/gl-security/engineering/issues/446

added security-set-milestone label

@cmaxim this one looks like UI change, rather than docs change. The link is to a third party site, not our own docs.

Let me ping Manage team.

added Enterprise Edition label

I'm not sure why this is Manage, assigning to Create. cc @jramsay

added backend devopscreate groupsource code labels and removed groupauthentication and authorization [DEPRECATED] label

@cmaxim I don't think this should be confidential since it's just a help tip that is misleading. Also, the severity seems overkill since the feature does actually work!

@jramsay I think you're right that this shouldn't be a confidential issue since the change I need to make is updating the placeholder. Should I remove the security label?

@cmaxim would you agree?

Current	Propose Change

LGTM! I have updated to P4/S4.
Thanks for the update

awesome, thanks Costel! I'll remove the security label and make this issue public

changed milestone to %12.4

added frontend repository labels and removed backend label

assigned to @jramsay and unassigned @jeremy

removed security-set-milestone label

added Deliverable label

changed weight to 2

changed weight to 3

assigned to @sming-gitlab

I'm having a bit of trouble locating this feature

Not able to find it through the suggested link https://gitlab.com/:project/-/settings/repository

It's not within any of the expanded content. @jramsay are you able to assist?

@sming-gitlab are you using EE? Push rules are only available in Starter and above

I was working in the wrong repo -- I'm new to the security workflow (@andr3 clarified it for me, yay!). It's working now, thanks James!

Just to clarify... "wrong repo" => still in dev.gitlab.org

added priority4 severity4 labels and removed priority2 severity2 labels

removed security label

made the issue visible to everyone

made the issue confidential

made the issue visible to everyone

mentioned in merge request !18235 (merged)

unassigned @jramsay

added workflowin review label

closed via merge request !18235 (merged)

mentioned in commit f8caaee4