Backend: Implementing hooks/pre_get_sources_script for CI YAML config syntax
Summary
The Gitlab CI_REGISTRY_PASSWORD
token, as currently designed, inherits the privileges of the user executing a pipeline job on a GitLab instance. From a technical standpoint, this token impersonates the owner of the job to which it is connected. To gain access to the token, both the malicious actor and target need to be users on the GitLab instance.
There are a couple of methods that a malicious actor can use to gain access to the token:
- Add malicious code into the .gitlab-ci.yml pipeline file.
- Use the CI_PRE_CLONE_SCRIPT pattern as described below.
Proposal
As a part of step 2 in https://gitlab.com/gitlab-org/gitlab/-/issues/201776#note_882123647, updates need to be made to the .gitlab-ci.yml parser and related code that creates the job entity construction part to accept the use of the new script called pre_get_sources_script
. Note: It needs to be added in the same place where currently the pre_clone_script
value is added at the moment.
- Add
pre_get_sources_script
as a new keyword for jobs in.gitlab-ci.yml
- Pass this value to the runner's
pre_clone_script
configuration option
- Pass this value to the runner's
- Add
post_get_sources_script
as a new keyword for jobs in.gitlab-ci.yml
- Pass this value to the runner's
post_clone_script
configuration option
- Pass this value to the runner's
Technical
The GitLab-Runner communication will be this:
{
"hooks": [
{"name": "pre_get_sources_script", "script": ["line 1", "line 2"]},
{"name": "post_get_sources_script", "script": ["line 1"]}
]
}
The CI config YAML syntax will be this:
my-job:
hooks:
pre_get_sources_script:
- line 1
- line 2
post_get_sources_script: line 1
script:
- echo "Hello world"