Add check to export data script for variable type (!18) · Merge requests · GitLab.org / gitlab-services / version-gitlab-com · GitLab

Mikołaj Wawrzyniak requested to merge mwaw/fail_on_file_variable_mismatch_error into main Apr 26, 2023

Background

Wrong CI ENV variable type can lead to security breach incident like: https://gitlab.com/gitlab-sirt/incident_3555/-/issues/1#note_1368424305

It completes request from https://gitlab.com/gitlab-sirt/incident_3555/-/issues/1#note_1367754955 resolves https://gitlab.com/gitlab-org/analytics-section/product-intelligence/metrics-library/-/issues/1

Goal

Check variable type before it will be used for authentication that can cause data leaking.

Verification

Here is job log that run before correct safeguard was added https://gitlab.com/gitlab-org/gitlab-services/version.gitlab.com/-/jobs/4181930165

And here is one that have run with safeguard https://gitlab.com/gitlab-org/gitlab-services/version.gitlab.com/-/jobs/4181969206

And another with safe guard when correct variable type is set https://gitlab.com/gitlab-org/gitlab-services/version.gitlab.com/-/jobs/4182175231

Final scenario where CI ENV variable (GOOGLE_PROJECT_ID) type is set to file when it should be variable. In that case it looks that variable content is not exposed https://gitlab.com/gitlab-org/gitlab-services/version.gitlab.com/-/jobs/4182783373

You can trigger new jobs from https://gitlab.com/gitlab-org/gitlab-services/version.gitlab.com/-/pipeline_schedules/375132/edit to see it fail

or change env type of GCLOUD_SERVICE_KEY to file, and see type validation passing through

Edited Apr 26, 2023 by Mikołaj Wawrzyniak