Bypass of GitLab CI runner slash fix in YAML validation!

HackerOne report #537537 by bull on 2019-04-13, assigned to estrike:

Hi,

I have found that after #301432 and #409395 (closed) , i can still inject malicious directory traversal in the cache key.

Issue:

directory traversal can still be injected into cache key by using gitlab api to inject in variables.

which is forbidden in web UI and according to your documentation.

However, now there is in place an additional check at the before making request to cache server, if the project is same as the build of project in docker.
So, it doesn't request url if the project id is not of that project.

I thought you might want to fix the injection as someone might find a bypass, as i found some perks.

Double variable manipulation:

i found that double variable manipulation can still be used to make malicious url,

when variable l is set to ../1/cache

and we inject into key:

a:  
  script:  
  - ls -lashR  
  cache:  
    key: "$$l"  
    policy: pull  
    paths:  
      - .  

this gets converted into $l and injected as $l
however this give 403 when the url is request which might be because
Url is signed for
/gitlab-com-runners-cache/project/10982096/$l?signature=nstuff.....
but at the time of requesting
this variable is manipulated:
/gitlab-com-runners-cache/project/1/cache?signature=nstuff....not for after manipulation

while pulling:

while pushing :

if you would like to fix the injection, in the meantime i will let you if i could take it any further.
Thanks
bull

Impact

directory traversal injection might bypass access to cache of other projects

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2019-04-13_at_11.30.29_PM.png
• Screenshot_2019-04-13_at_11.38.42_PM.png
• Screenshot_2019-04-13_at_11.45.11_PM.png
• Screenshot_2019-04-13_at_11.46.12_PM.png