Cross-project pipelines leak pipeline status of private downstream pipelines and private project name
HackerOne report #697668 by xanbanx
on 2019-09-19, assigned to @jritchey:
Hi GitLab Security Team,
Summary
GitLab supports cross-project pipelines. Here, the pipeline of one project triggers the pipeline of another project (downstream project).
However, if the downstream project is private, the upstream project's pipeline view leaks the pipeline status of the private downstream pipeline as well as the private project name.
Steps to reproduce
Tested on GitLab Enterprise Edition 12.3.0-pre 32dae283
- Create a public group named
public-group
- Within the public group, create a private project named
private-project
- In the private project, Add a
.gitlab-ci.yml
file with the following content:
build_image:
script:
- echo "private project"
- Within the public group, create a public project named
public-project
- In the public project, Add a
.gitlab-ci.yml
file with the following content:
stages:
- build
- test
build_image:
stage: build
script:
- echo "public project"
downstream_pipeline:
stage: test
trigger: public-group/private-project
- As an unauthenticated user, visit
https://example.gitlab.com/public-group/public-project/pipelines
and click on the last pipeline - The pipeline graph now leaks the pipeline status of the private downstream pipeline as well as the private project name
Impact
Unauthorized users can see the pipeline status of private downstream pipelines. Furthermore, they can access the name of private projects.
Examples
Goto https://gitlab.com/public-group-docker/public-project/pipelines/83132075
Here you see that the private downstream pipeline succeeded and also the name of the private repository.
What is the current bug behavior?
Private downstream pipelines are visible to unauthorized users thus leaking the pipeline status of private project's pipelines and the name of private projects.
What is the expected correct behavior?
Do not show downstream pipelines if user has no access to the private project.
Output of checks
This bug happens on GitLab.com
Best regards,
Xanbanx
Impact
See above.