Exploit in mirroring and CI allows theft of other user's repositories
This was reported via a support web form. I don't believe the reporter understands the full implications of this vulnerability.
The EE mirroring feature can be abused to steal repositories from other users (and probably more).
- Create a project and repository.
- Create a mirror of that project.
- Grant another user/victim
masterrights to the mirror.
- Assign them as the "mirror user" on the mirror and enable "Trigger pipelines for mirror updates".
- Change the
.gitlab-ci.ymlfile on the original repository to include a command such as:
git clone https://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.example.com/root/myprivproj.git
This code now executes in the victim user's context. Their CI variables can be used to steal their projects.