Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #239369
Closed
Open
Issue created Aug 21, 2020 by GitLab SecurityBot@gitlab-securitybotReporter

Unauthorized user is able to access schedule pipeline variables and values

HackerOne report #962462 by vaib25vicky on 2020-08-19, assigned to @dcouture:

Report | Attachments | How To Reproduce

Report

Summary

The feature allows to add or overwrite variables that are passed to jobs in order to modify the behavior just for that specific instance.

As per this gitlab-foss#32568 (comment 32531510) , the current security model is
>If you are owner of schedule (as developer) or master => you can read, modify and delete,
If you are developer => you can just list, not read,

>This allows only owners and masters to read variables assigned to the schedule. It prevents other developers from hijacking schedules, but allows master to fully control them. Master already has access to Secret Variables.

But api endpoints are cleary showing this values to everyone even if the user is not part of the project. https://docs.gitlab.com/ee/api/pipeline_schedules.html#get-a-single-pipeline-schedule

PoC

This is my test project https://gitlab.com/thevicc/trigg with schedule pipeline which custom variables you can't read.

Now, run this to read the variable and its value

curl --header "Private-Token: <your_access_token>" https://gitlab.com/api/v4/projects/20618145/pipeline_schedules/69918

Response
poc_var.png

Steps to reproduce
  • Create a project and add a schedule pipeline with custom variables
  • Only you or owner can read variables
  • As second account, use the api https://docs.gitlab.com/ee/api/pipeline_schedules.html#get-a-single-pipeline-schedule

Impact

This bug allows unauthorized users to read scheduled pipeline custom variables and values. As per security model, this allows other devs to hijack schedules.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • poc_var.png

How To Reproduce

Please add reproducibility information to this section:

  1. Visit this link while logged in you'll see the variables (names and values) for a scheduled pipeline in a project you're not a member of https://gitlab.com/api/v4/projects/20667559/pipeline_schedules/70235
Edited Aug 21, 2020 by Dominic Couture
Assignee
Assign to
Time tracking