Secret CI variables can exposed by creating a tag with the same name as an existing protected branch
Steps to reproduce
- Add a secret variable and mark it as protected. It should only be accessible on protected tags/branches to prevent unauthorized access
- Create a branch matching a protected branch or wildcard. A
master
protection is created by default and can be used here instead - Add
.gitlab-ci.yml
with a script that will steal the secret variable. For test purposesecho $PROTECTED_SECRET
works but an attacker might do this silently - Create a tag with the same name as
(2)
- Find way to trigger a pipeline for that tag.
-
Note: We'd expect this to happen automatically, but because of a bug we accidentally check
can_update_branch?
for the tag and prevent the pipeline being created. If that bug is fixed this step can be skipped, but for now an attacker might be able to trigger the pipeline using trigger tokens or repository mirroring. See discussion below.
-
Note: We'd expect this to happen automatically, but because of a bug we accidentally check
- Notice that the secret incorrectly available to the script
Output
$ echo $PROTECTED_SECRET
myhiddenpassword
Job succeeded
Related
Edited by James Edwards-Jones