Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #27044
Closed
Open
Issue created Feb 27, 2019 by GitLab SecurityBot@gitlab-securitybotReporter

Exposure of trigger tokens on project exports

HackerOne report #497144 by mishre on 2019-02-16, assigned to asaba:

Summary:
Any user can configure a trigger token for himself so that pipelines will be used to create CI/CD jobs on his own user context. When using the trigger token, Jobs created on the user's behalf will have access to all the resources(repositories) the user have (as explained here: https://docs.gitlab.com/ee/ci/triggers/#taking-ownership-of-a-trigger). Maintainers of the repository cannot usually see the trigger tokens for other users (only for themselves) as it will give them complete access (via ci-cd jobs) to perform actions on their behalf.

Description:
All maintainers can perform an export of the repository, which in turn will leak all the trigger tokens created for all the other maintainers of the repository through a file called project.json which contains different information for later restoring the project.

Steps To Reproduce:

  1. Create a new repository.
  2. Go to the Members section of the repository and add another maintainer (the attacker).
  3. Go to the CI/CD settings of the project and create a trigger token.
  4. Login as the attacker and go to the CI/CD settings of the project - you should not be able to see the trigger token.
  5. Now create an export of the project.
  6. Download the exported .tar.gz file and open a file called project.json
  7. Look for the word "trigger" in the json file -> you now should be able to see the token at plaintext and use it to impersonate the victim.

Supporting Material/References:

  • List any additional material (e.g. screenshots, logs, etc.)

Impact

An attacker can impersonate the victim and have access to all the repositories the victims has access to.

Documentation

  • Update the user docs to explicitly call out the fact that trigger tokens are not exported for security reasons.

Implementation plan

  • backend Remove :triggers from https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/import_export/project/import_export.yml#L91,
  • documentation Mark Pipeline Triggers as unsupported for GitLab in https://gitlab.com/gitlab-com/customer-success/professional-services-group/global-practice-development/migration/congregate/-/blob/master/customer/gitlab-migration-features-matrix.md#L42, Congregate tool should be able to still migrate triggers as it is using GitLab API and not File Export
  • documentation Add Pipeline triggers to list in docs https://gitlab.com/gitlab-org/gitlab/blob/master/doc/user/project/settings/import_export.md#L133
  • test Verify if exported project does not contain that token,
Edited Sep 14, 2021 by Alan (Maciej) Paruszewski
Assignee
Assign to
Time tracking