Exposure of trigger tokens on project exports
HackerOne report #497144 by mishre
on 2019-02-16, assigned to asaba
:
Summary:
Any user can configure a trigger token for himself so that pipelines will be used to create CI/CD jobs on his own user context. When using the trigger token, Jobs created on the user's behalf will have access to all the resources(repositories) the user have (as explained here: https://docs.gitlab.com/ee/ci/triggers/#taking-ownership-of-a-trigger). Maintainers of the repository cannot usually see the trigger tokens for other users (only for themselves) as it will give them complete access (via ci-cd jobs) to perform actions on their behalf.
Description:
All maintainers can perform an export of the repository, which in turn will leak all the trigger tokens created for all the other maintainers of the repository through a file called project.json which contains different information for later restoring the project.
Steps To Reproduce:
- Create a new repository.
- Go to the Members section of the repository and add another maintainer (the attacker).
- Go to the CI/CD settings of the project and create a trigger token.
- Login as the attacker and go to the CI/CD settings of the project - you should not be able to see the trigger token.
- Now create an export of the project.
- Download the exported .tar.gz file and open a file called project.json
- Look for the word "trigger" in the json file -> you now should be able to see the token at plaintext and use it to impersonate the victim.
Supporting Material/References:
- List any additional material (e.g. screenshots, logs, etc.)
Impact
An attacker can impersonate the victim and have access to all the repositories the victims has access to.
Documentation
-
Update the user docs to explicitly call out the fact that trigger tokens are not exported for security reasons.
Implementation plan
-
backend Remove :triggers
from https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/import_export/project/import_export.yml#L91, -
documentation Mark Pipeline Triggers
as unsupported for GitLab in https://gitlab.com/gitlab-com/customer-success/professional-services-group/global-practice-development/migration/congregate/-/blob/master/customer/gitlab-migration-features-matrix.md#L42, Congregate tool should be able to still migrate triggers as it is using GitLab API and not File Export -
documentation Add Pipeline triggers to list in docs https://gitlab.com/gitlab-org/gitlab/blob/master/doc/user/project/settings/import_export.md#L133 -
test Verify if exported project does not contain that token,