Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #118782
Closed
Open
Issue created Dec 17, 2019 by GitLab SecurityBot@gitlab-securitybotReporter

Force maintainer to take ownership of a scheduled CI pipeline before editing it

Context

This issue was first created via a HackerOne report. The full details of the report have been moved to a comment to keep the description uncluttered.

The worst vulnerability exposed by the report is that a maintainer can execute scheduled pipelines using another maintainer's CI_JOB_TOKEN. Fixing this vulnerability is addressed in #328553 (closed) and will not be addressed by this issue. See #118782 (comment 575544233) for more details.

A lesser vulnerability is that Maintainer B can edit a pipeline schedule created by Maintainer A without Maintainer A's knowledge. This vulnerability will be addressed by this issue.

Proposed solution

Force maintainer or above user B to take ownership of the pipeline schedule in order to edit it. If Maintainer A then wants to edit the schedule, they must take ownership again or pipelines will keep running as maintainer B.

Technical details

Disallow updating schedules owned by other users, by making owner_of_schedule mandatory in Ci::PipelineSchedulePolicy => :update_pipeline_schedule. Move update_pipeline_schedule into a new policy block so that other policies are not effected by this change

Note: this is a breaking change for the pipeline schedule edit action in the REST API. Because it is a security fix, the breaking change should be communicated in a security blog post with the release of the fix and not before

Related Security Issue: https://gitlab.com/gitlab-org/security/gitlab/-/issues/658

Edited Apr 22, 2022 by Allison Browne
Assignee
Assign to
Time tracking