Delete a registered runner as unauthorised user
This #685239 is fixed as per latest security release here
https://about.gitlab.com/blog/2020/01/02/security-release-gitlab-12-6-2-released/ which is basically updating and removing runners as maintainers but this issue is different.
In this case, you as a project maintainer is able to delete registered runner in different project when you don't have rights to do it. This happens when runner is registered by user in separate project and is enabled in project where you have maintainers rights. You then as a project maintainer just have permissions to pause or enable/disable that runner within that project in UI. However, using below API, you can delete this registered runner from different project where you dont have rights.
curl --request DELETE "https://gitlab.example.com/api/v4/runners" --form "token=<authentication_token>"
Steps to reproduce
- Create a group and 2 projects within it
- As a project maintainer, register a runner in
- When you navigate to
Project2, you have the option to enable it ( as you created in project1).
- Enable this runner in
- Add one more user as project maintainer in
- Login as above user now i.e maintainer in
- Go to https://gitlab.com///-/settings/ci_cd#js-runners-settings. You will see that you can either pause or disable the runner. You will not see
Remove Runneroption here because this runner is just registered in different project (
Project1)where you don't have access.
- Now just visit the API
https://gitlab.com/api/v4/runners/<ID>. You should see the ID in page itself.
- In response, you should see the value of
tokenfor this runner . Just copy it and use it in below API to delete this registered runner
curl --request DELETE "https://gitlab.com/api/v4/runners" --form "token=<Token_from_above_response>"
What is the current bug behavior?
Allows unauthorised users to delete registered runner
What is the expected correct behavior?
In my opinion, token value should not be exposed to users in above situations.
Output of checks
This bug happens on GitLab.com and might be on omnibus installations too!
Allows unauthorised delete of registered token