Email generation for bots leads to the inability to create project/group access tokens
HackerOne report #1861701 by 0xn3va
on 2023-02-03, assigned to @rshambhuni:
Report | Attachments | How To Reproduce
Report
Summary
Gitlab allows users to create access tokens for specific projects or groups (you can find more details at https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html and https://docs.gitlab.com/ee/user/group/settings/group_access_tokens.html). It is implemented via the creation of a bot user and a PAT token for them. Since Gitlab creates users, it assigns email addresses to them using the following scheme:
project{project_id}_bot@noreply.{Gitlab.config.gitlab.host}
group{project_id}_bot@noreply.{Gitlab.config.gitlab.host}
If there is more than one project/group access token, it adds a number to the end project{project_id}_bot{number}[@]noreply.{Gitlab.config.gitlab.host}
. However, it does not happen if the address is occupied by another user. In other words, if you link the address project{project_id}_bot@noreply.{Gitlab.config.gitlab.host}
to your account (you do not need to confirm it) you will not be able to create any project access tokens due to the following error:
[REDACTED]
As a result, it is very easy to disable the ability to create access tokens for any project or group. Moreover, I didn't find any limits on the amount of linked emails, I was able to linked more than 100 emails to a single account.
Steps to reproduce
-
Open gitlab.com and login
-
Create a project or a group
-
Find and keep project/group ID
-
Go to User Settings > Emails
-
Link the following email to your account (you do not need confirmation):
for project:
project{Project_ID}_bot@noreply.gitlab.com
or for group:
group{Group_ID}_bot@noreply.gitlab.com
-
Go to the project/group
-
Go to Settings > Access Tokens
-
Try to create an access token; it will return an error
What is the current bug behavior?
Bots use predictable email addresses and do not change an email address if there is no access token for "previous" email address.
What is the expected correct behavior?
Bot emails have a random prefix/suffix, or bots iterate the address, whether there is "previous" access token or not.
Relevant logs and/or screenshots
PoC: [REDACTED]
Output of checks
This bug happens on GitLab.com
How To Reproduce
Please add reproducibility information to this section: