ESCALATED: Security issues on user mode in session for admins
After being pinged for a security review on !18214 (merged), @joernchen and I did a security review of the whole 'admin mode' feature (!16981 (merged) and !18214 (merged)) given that we hadn't reviewed it and it involves a sensitive part of the app like the admin area.
Here are the concerns that we detected:
- The user and admin separation that this feature introduces only affects the Web UI, API operations are executed with admin rights and SSH keys are allowed to clone any repo, which makes this feature ineffective.
- 2FA isn't enforced for admins after introducing the password to log into the admin area. We could also contemplate requiring only the 2FA code to log into the admin mode.
- Destroying the admin session through a GET endpoint (
/admin/session/destroy
) introduces a CSRF vulnerability that disables the admin mode. The impact of this one is minimal, but it would be good to fix it if possible to prevent any future issues. - The button to leave admin mode isn't displayed on docker and gdk instances.
Edited by GitLab SecurityBot