Exploit in mirroring and CI allows theft of other user's repositories
This was reported via a support web form. I don't believe the reporter understands the full implications of this vulnerability.
https://gitlab.zendesk.com/agent/tickets/79805
The EE mirroring feature can be abused to steal repositories from other users (and probably more).
- Create a project and repository.
- Create a mirror of that project.
- Grant another user/victim
master
rights to the mirror. - Assign them as the "mirror user" on the mirror and enable "Trigger pipelines for mirror updates".
- Change the
.gitlab-ci.yml
file on the original repository to include a command such as:git clone https://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.example.com/root/myprivproj.git
This code now executes in the victim user's context. Their CI variables can be used to steal their projects.