Security flaw of integration of CodeClimate
Summary
The current integration guidelines of CodeClimate with GitLab yield a setup where any user can take over the host running the docker daemon.
Description
As recommended by [the GitLab documentation] (https://docs.gitlab.com/ee/ci/examples/code_climate.html) - integrating Code Climate is done through the Dockerfile that is a part of the repository - and it requires GitLab Runner to be set up with the Docker-in-Docker service, running in privileged mode.
So any user with access can create a Merge Request, to modify the Dockerfile, and add a docker command that will create and run a new container that takes over the host OS - e.g. injecting a new root user, a new autostart script after reboot, etc. - they can become root on the host system. After this has been achieved - many things can happen, including snooping on all the source code arriving from other projects to codequality and even worse.
Possible fixes
If GitLab Runner is configured to use the Docker executor not in privileged mode - there's no problem - but unfortunately Code Climate requires to be run inside a Docker-in-Docker container.
Another alternative solution would be to have a dedicated CodeClimate-dedicated Runner configuration - that does run in privileged mode and has the DinD service - but, the security risk can be avoided in case the definition of this is not a part of the Dockerfile in the repository - but is configured outside of this scope - outside a scope that can be controlled by a user - E.g. it can either be hardcoded ("CodeClimate enabled - y/n" Setting), etc.
I hope to spark a discussion with ideas and a solution. Also perhaps I'm misunderstanding something and others could shed some light on how they the whole setup secure.
References
- Same [issue posted on CodeClimate and their response] (https://github.com/codeclimate/codeclimate/issues/722) - basically they say it should be secure by the CI itself