CVE-2021-39892: Import pending members from public projects or private projects (if you have guest role) (#28440) · Issues · GitLab.org / GitLab

HackerOne report #542539 by ashish_r_padelkar on 2019-04-19, assigned to asaba:

Summary

Hello,

As per documentation here https://docs.gitlab.com/ee/user/project/members/#import-users-from-another-project ,

In the dropdown menu, you can see only the projects you are Maintainer on.

This is NOT true. You can also see the projects where you have just Guest access to.

The problem with this is, once you import members from such projects, a guest can see all pending members who are invited using emails but havent joined the project yet! i.e guests will be able to see all the email ids of the members who are invited using email by Admins but not yet joined gitlab.

If they just visit the url directly in UI, they dont see these members who have not joined gitlab yet!

Steps to reproduce

1. As a Owner in your project, navigate to https://gitlab.com/<YourUserName>/<YourProject>/project_members/import

2. When you click on the dropdown, you will not only see the projects where you are maintainer on, but you will see all the projects where you just have Guest role too.

3. Select the project where you have Guest role and click on Import Project Members.

The Request responsible for this is

POST /<YourUserName>/<YourProject>/project_members/apply_import HTTP/1.1  
Host: gitlab.com  
Connection: close  
Content-Length: 157  
Cache-Control: max-age=0  
Origin: https://gitlab.com  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3  
Referer: 1  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: 1

utf8=%E2%9C%93&authenticity_token=1&source_project_id=10776018  

4. You can also replace the source_project_id parameter in above request with public projects too, and it will import from public projects too!

5. This will import the email ids of member who have not joined the selected project which you dont see when you navigate to member url from UI!

Examples POC

Navigate to my public project here https://gitlab.com/gitlabadminrsspl1111/thisispublicproject/project_members

You will just see one member there.

Now follow the above reproduction steps, and replace the source_project_id parameter in above request to 10776018 and send the request

Now check the member list. You will see an email there . This is an invited email which guest users cant see normally as the invited member has not yet joined the gitlab/project!

What is the current bug behavior?

Allows you to import pending members from public projects as well as private projects where you just have guest role

What is the expected correct behavior?

Only members from project which you have maintainers role should be allowed to import

Output of checks

This bug happens on GitLab.com and might be on omnibus installations too

Impact

Allows you to import pending members from public projects as well as private projects where you just have guest role.

Proposal

The Import feature should only allow users to import members from projects where the user has a Maintainer role. This should address issues called out under steps 2 and 4 under Steps to Reproduce section.