Webhook token leaked in project exports allowing to trigger CI pipeline
HackerOne report #698068 by xanbanx
on 2019-09-19, assigned to @jritchey:
Hi GitLab Security Team,
Summary
When exporting a Github connect repository within GitLab, the project export contains the external_webhook_token
. This token allows anyone in possession to forge authentic requests to trigger a CI pipeline within GitLab although the person might not be a project member anymore.
Steps to reproduce
Tested on GitLab Enterprise Edition 12.3.0-pre 32dae283
Before, create a Github account, create a project there, and push a valid .gitlab-ci.yml
file.
- Create a new project. Chose
CI/CD for external repo
to import a project - Chose
Github
underConnect repositories from
- Enter your personal access token from your GitHub account where you want to import the project from
- Select the project you created before Github for sync
- After importing the project, goto
https://example.gitlab.com/<namespace>/<project>/edit
and export the project - Download the project archive, extract it, and inspect the containing
project.json
...
"jobs_cache_index": null,
"external_authorization_classification_label": "",
"external_webhook_token": "hcnPbsfximlueXxaaIkg",
"pages_https_only": true,
"merge_requests_author_approval": null,
...
Note, this is a fake token for the report.
When looking in the code one observes the request POST :id/mirror/pull
in https://gitlab.com/gitlab-org/gitlab/blob/master/ee/lib/api/project_mirror.rb#L59. This request is used to trigger a new pipeline for a Github connected repository. This request uses the X-Hub-Signature
header to authenticate the request to create the pipeline. This signature is computed by computing an HMAC over the request data using external_webhook_token
as the key.
By being in possession of external_webhook_token
it means that you craft a request and forge a valid X-Hub-Signature
to create a new pipeline. So anyone, who can download the project can later on, when for example he is not a project member anymore, craft such a request and thereby trigger a pipeline.
Impact
The external external_webhook_token
is exported. This allows anyone in possession of this token to forge a valid POST request to trigger a new CI pipeline. In the worst case, an attacker can possibly create thousands of CI pipelines and thus DoS the CI infrastructure.
What is the current bug behavior?
The project export contains external_webhook_token
. This allows anyone to forge a POST request to start a new pipeline.
What is the expected correct behavior?
Do not include the external_webhook_token
in the project export. Anyway, it is not useful because this secret is bound to one specific webhook at Github, which still points to the original GitLab project. Importing the project to a different namespace or different GitLab instance would therefore make this token not working anymore.
Output of checks
This bug happens on GitLab.com
Best regards,
Xanbanx
Impact
See above.
Implementation plan
-
backend Add external_webhook_token
toexcluded_attributes -> project
in https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/import_export/project/import_export.yml#L162 and remove it from https://gitlab.com/gitlab-org/gitlab/blob/master/spec/lib/gitlab/import_export/safe_model_attributes.yml#L569, -
test Verify if exported project does not contain that token,