Security hole in merge request workflow
Created by: X-Stranger
We are using GitLab 6.0.1 engine with a few customizations, but looks like this issue can be reproduced with 6.1.0 engine. I would appreciate if somebody will try to reproduce that on his own GitLab instance.
We have found scenario, when GitLab user can merge his code via merge request to the master branch even without appropriate privileges.
This means even junior developers who normally do not have ability to merge their code to the stable branch, will be able to do it.
The scenario is:
- Create your own local branch;
- Update your local .gitconfig file with username and e-mail of the user who has privileges to push to the master;
- Commit your code to this branch with this git settings (the author of commit will be set to the user who has permissions to push to the master);
- Push your code to GitLab;
- Create merge request;
- Assign to the person who supposed to merge this branch;
- GitLab will show button allowing to automatically merge this request;
- After pressing this button, code successfully merged.