Skip to content

A developer of a subgroup can gain access to the main private group

HackerOne report #675633 by rpadovani on 2019-08-17, assigned to estrike:

Summary

Given a secret group with this structure:

- secret-group  
|--> secret-subgroup

a user who has access with developer role only at secret-subgroup can gain access to secret-group

Steps to reproduce

Alice: owner of secret-group
Bob: a random developer.

Alice creates secret-group as private, and creates secret-subgroup inside it. She gives developer access to Bob to only the secret-subgroup.

Bob can now access https://gitlab.com/secret-group/secret-subgroup, but he cannot access https://gitlab.com/secret-group/.

Bob creates a new project inside https://gitlab.com/secret-group/secret-subgroup - he can, since he is a developer.

This triggers the bug: now Bob can access https://gitlab.com/secret-group/. Also, he is not reported as a member of secret-group in https://gitlab.com/groups/secret-group/-/group_members, so Alice cannot know this happened.

Calling the APIs, I suspect Bob has gained the :read_group permission over https://gitlab.com/secret-group/, that he didn't have at the beginning.

Impact

This gives access to Bob to these resources:

  • milestones of secret-group
  • labels of secret-group
  • (I suspect, but I don't have a license to verify) epics of secret-group

Probably something else, but I haven't investigated further.

However, it DOES NOT give access to other projects of the group. This is why I also marked Confidentiality as low: epics, labels, and milestones are important, but not as much as repositories and issues.

Examples

I created a private group with a private subgroup - if needed I can give access to the subgroup and you can escalate the privilege on your own.

Output of checks

This bug happens on GitLab.com

Impact

Attackers can gain access to milestones and labels they shouldn't have