Force maintainer to take ownership of a scheduled CI pipeline before editing it
Context
This issue was first created via a HackerOne report. The full details of the report have been moved to a comment to keep the description uncluttered.
The worst vulnerability exposed by the report is that a maintainer can execute scheduled pipelines using another maintainer's CI_JOB_TOKEN
. Fixing this vulnerability is addressed in #328553 (closed) and will not be addressed by this issue. See #118782 (comment 575544233) for more details.
A lesser vulnerability is that Maintainer B can edit a pipeline schedule created by Maintainer A without Maintainer A's knowledge. This vulnerability will be addressed by this issue.
Proposed solution
Force maintainer or above user B to take ownership of the pipeline schedule in order to edit it. If Maintainer A then wants to edit the schedule, they must take ownership again or pipelines will keep running as maintainer B.
Technical details
Disallow updating schedules owned by other users, by making owner_of_schedule
mandatory in Ci::PipelineSchedulePolicy
=> :update_pipeline_schedule
. Move update_pipeline_schedule
into a new policy block so that other policies are not effected by this change
Note: this is a breaking change for the pipeline schedule edit action in the REST API. Because it is a security fix, the breaking change should be communicated in a security blog post with the release of the fix and not before
Related Security Issue: https://gitlab.com/gitlab-org/security/gitlab/-/issues/658