Exposure of trigger tokens on project exports
HackerOne report #497144 by
mishre on 2019-02-16, assigned to
Any user can configure a trigger token for himself so that pipelines will be used to create CI/CD jobs on his own user context. When using the trigger token, Jobs created on the user's behalf will have access to all the resources(repositories) the user have (as explained here: https://docs.gitlab.com/ee/ci/triggers/#taking-ownership-of-a-trigger). Maintainers of the repository cannot usually see the trigger tokens for other users (only for themselves) as it will give them complete access (via ci-cd jobs) to perform actions on their behalf.
All maintainers can perform an export of the repository, which in turn will leak all the trigger tokens created for all the other maintainers of the repository through a file called project.json which contains different information for later restoring the project.
Steps To Reproduce:
- Create a new repository.
- Go to the Members section of the repository and add another maintainer (the attacker).
- Go to the CI/CD settings of the project and create a trigger token.
- Login as the attacker and go to the CI/CD settings of the project - you should not be able to see the trigger token.
- Now create an export of the project.
- Download the exported .tar.gz file and open a file called project.json
- Look for the word "trigger" in the json file -> you now should be able to see the token at plaintext and use it to impersonate the victim.
- List any additional material (e.g. screenshots, logs, etc.)
An attacker can impersonate the victim and have access to all the repositories the victims has access to.
Update the user docs to explicitly call out the fact that trigger tokens are not exported for security reasons.
Pipeline Triggersas unsupported for GitLab in https://gitlab.com/gitlab-com/customer-success/professional-services-group/global-practice-development/migration/congregate/-/blob/master/customer/gitlab-migration-features-matrix.md#L42, Congregate tool should be able to still migrate triggers as it is using GitLab API and not File Export
documentation Add Pipeline triggers to list in docs https://gitlab.com/gitlab-org/gitlab/blob/master/doc/user/project/settings/import_export.md#L133
test Verify if exported project does not contain that token,