job api: download job artifact only serves login page
Summary
job api: download job artifact only serves login page
Steps to reproduce
I have a gitlab job set up to run every day on gitlab.com (it is running without changes for months now). This job downloads the artifact of the previous job using the gitlab api:
https://gitlab.com/<namespace>/<project>/-/jobs/artifacts/<ref>/raw/<path_to_file>?job=<job_name>
Tonight this job started to fail. After investigating it turns out that gitlab does not serve the artifact via the api, but the plain html login page. We do submit an access token without expiry.
What is the current bug behavior?
After investigating it turns out that gitlab does not serve the artifact via the api, but the plain html login page.
What is the expected correct behavior?
gitlab api should serve artifact of previous jobs
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
There does not seem to be any mention of breaking changes to the api in the docs
Tried to issue a new access token with full access, however when submitting that with the request, the login page is still returned
Solution
The official blog post explaining the change https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/
Improper Enforcement of Token Scope The GitLab web interface was vulnerable to an authorization issue that allowed access to the web-UI as a user using their Personal Access Token (PAT) of any scope. The issue is now mitigated in the latest release and is assigned CVE-2018-19569. With this fix, the use of PATs is limited to the API, the RSS feed, and the registry, which could break any existing automation scripts that don't use the API. The impact is expected to be limited. Thanks to Jan Alsenz of Oneconsult AG for responsibly reporting this vulnerability to us. Updated: 2018-11-28: We have received reports that this change has impacted how repo files and job artifacts are downloaded for some users. For instructions on how to do so through the API, please see our support issue. Thank you to the users participating in this issue. Your feedback is important to us.
The personal access token has been scoped down only for API, RSS and registry usage the alternatives are as follows:
- Downloading repository fils
- Get job artifacts
- Download the artifacts archive
- Download a single artifact file
- https://gitlab.com/gitlab-org/gitlab-ce/issues/54572#note_120859334
- https://gitlab.com/gitlab-org/gitlab-ce/issues/54572#note_120860243
- https://gitlab.com/gitlab-org/gitlab-ce/issues/54572#note_120999839