Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-4379: "Remove approvals by Code Owners if their files changed" does not apply when target branch is changed (#415496) · Issues · GitLab.org / GitLab · GitLab

An issue has been discovered in GitLab EE affecting all versions starting from 15.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Code owner approval was not removed from merge requests when the target branch was updated.

CVE
Open in Source
#git

Skip to content

    • Why GitLab
    • Pricing
    • Contact Sales
    • Explore

  • Why GitLab

  • Pricing

  • Contact Sales

  • Explore

“Remove approvals by Code Owners if their files changed” does not apply when target branch is changed

Summary

One of our users recently complained about the following issue:

For a GitLab project, merge request approvals have the following options:

  • Keep approvals
  • Remove all approvals
  • Remove approvals by Code Owners if their files changed

For "Remove all approvals", GitLab documentation states the following only for this setting and not the code owners setting: “Approvals aren’t removed when a merge request is rebased from the UI However, approvals are reset if the target branch is changed.” The user received approvals on this MR and changed the target branch, after which all approvals were reset. This is correct and works as intended.

However - for "Remove approvals by Code Owners if their files changed", the user received approvals on this MR and changed the target branch, after which code owner approvals remained on the MR. This is incorrect as the expectation was that all approvals should still be removed after the target branch was changed.

Steps to reproduce

  1. Create a project with at least 3 branches (main, branch-a, and branch-b)
  2. Enable Remove approvals by Code Owners if their files changed on the project
  3. Define branch main as a protected branch with Require approval from code owners
  4. Create a merge request to merge branch-a into main
  5. Get approvals on the merge request (this can be either code owners or other eligible approvers)
  6. Change the mrge request to merge branch-a into branch-b instead

What is the current bug behavior?

Approvals remain on the project after changing the target branch.

This is potentially dangerous as a user could get approvals to merge their changes into a test feature branch but switch the target branch to another protected branch and merge without going through the approval process again.

What is the expected correct behavior?

“Approvals aren’t removed when a merge request is rebased from the UI However, approvals are reset if the target branch is changed.” should apply every time the target branch changes.

Relevant logs and/or screenshots

You can see in the screenshot here that the approvals remained even after I switched the target branch back and forth.

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

We’re currently running on GitLab 15.7.9.

Edited Jun 15, 2023 by Angeline Lee

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE