GitLab

Created by: berni2288

Summary

Security issue: When creating a mergerequest and selecting a target branch which is protected, people who are not master in the project (but master in the group the project is in) can merge the merge request into the target branch.

Permission level in the project: Developer Permission level in the project group: Master

Steps to reproduce

• Use a user with "developer"-access to the project
• Create a merge request in that project
• Select a protected branch as target branch
• Try to merge the request

Expected behavior

As developer you shouldn't be able to merge a merge request to a protected branch if he is a developer in the project.

Observed behavior

The green "Accept Merge Request"-button is shown and the changes can be merged by a developer.

Relevant logs and/or screenshots

none

Output of checks

Checking Environment ...

Git configured for git user? ... yes
Has python2? ... yes
python2 is supported version? ... yes

Checking Environment ... Finished

Checking GitLab Shell ...

GitLab Shell version >= 1.7.0 ? ... OK (1.7.0)
Repo base directory exists? ... yes
Repo base directory is a symlink? ... no
Repo base owned by git:git? ... yes
Repo base access is drwxrws---? ... yes
post-receive hook up-to-date? ... yes
post-receive hooks in repos are links: ...
DEV / test ... ok

Checking GitLab Shell ... Finished

Checking Sidekiq ...

Running? ... yes

Checking Sidekiq ... Finished

Checking GitLab ...

Database config exists? ... yes
Database is SQLite ... no
All migrations up? ... yes
GitLab config exists? ... yes
GitLab config outdated? ... no
Log directory writable? ... yes
Tmp directory writable? ... yes
Init script exists? ... yes
Init script up-to-date? ... yes
Projects have satellites? ...
DEV / test ... yes

Redis version >= 2.0.0? ... yes
Your git bin path is "/usr/bin/git"
Git version >= 1.7.10 ? ... yes (1.7.10)

Checking GitLab ... Finished

Possible fixes

none