Group Ex-Maintainer Could maintain Access to Project's Source Code/Jobs/Pipelines/Artifacts if it had Shared Group Runner Configured
Link: https://hackerone.com/reports/415518
By: @ngalog
Details:
Summary
It may sound complicated but in reality it is pretty easy to exploit. Normally, after a group maintainer be kicked out of the group, the user will no longer have access to the group's projects. This should be the secure by design, however, this design is defeated by Maintainer access to Gitlab CI/CD.
Steps to reproduce
- Prepare two users, user
A
, create a group and assign userB
as the Maintainer of the group -
A
prepare a shared group runner in https://gitlab.com/groups/:group_id/-/settings/ci_cd -
B
open a new project under the group, and as userB
, visit https://gitlab.com/groups/:group_id/-/settings/ci_cd -
B
jot down the token value of the group shared runner
From now on, because user B
has the value of the token of the group shared runner, even the owner A
kick B
out of the group, user B
can always register a runner for this group and maintain access to the group. And the best part is the shared group token can never be reset, so this is game over for the group.
Also, for step 3, as a maintainer, normally you can't visit any of the settings, however gitlab allow us to do it for CI/CD, which makes this bypass possible
Impact
Same as title,
Group Ex-Maintainer Could maintain Access to Project's Source Code/Jobs/Pipelines/Artifacts if it had Shared Group Runner Configured