Secret CI variables can exposed by creating a tag with the same name as an existing protected branch
Steps to reproduce
- Add a secret variable and mark it as protected. It should only be accessible on protected tags/branches to prevent unauthorized access
- Create a branch matching a protected branch or wildcard. A
masterprotection is created by default and can be used here instead
.gitlab-ci.ymlwith a script that will steal the secret variable. For test purposes
echo $PROTECTED_SECRETworks but an attacker might do this silently
- Create a tag with the same name as
- Find way to trigger a pipeline for that tag.
Note: We'd expect this to happen automatically, but because of a bug we accidentally check
can_update_branch?for the tag and prevent the pipeline being created. If that bug is fixed this step can be skipped, but for now an attacker might be able to trigger the pipeline using trigger tokens or repository mirroring. See discussion below.
- Note: We'd expect this to happen automatically, but because of a bug we accidentally check
- Notice that the secret incorrectly available to the script
$ echo $PROTECTED_SECRET myhiddenpassword Job succeeded