IP allow-list bypass when using Deploy Keys/Tokens to access the Dependency Proxy
Context
This issue was discovered when investigating the blast radius of https://gitlab.com/gitlab-com/gl-infra/production/-/issues/7149.
All related issues are confidential so this one is confidential too.
Problem
Groups access can be restricted by IP. See https://docs.gitlab.com/ee/user/group/#restrict-group-access-by-ip-address.
That restriction doesn't seem to be applied with Deploy Token pulling images through the Dependency Proxy.
We had a similar issue with the Container Registry access. See https://gitlab.com/gitlab-org/gitlab/-/issues/363651.
Steps to reproduce
- Have GDK ready with registry support and a premium tier license.
- Create a Group.
-
Enforce IP
200.200.200.200
or any IP that your computer doesn't have. - Create a Group deploy token.
- Set up the Dependency Proxy.
-
Pull a dummy image (such as
alpine:latest
) through the Dependency Proxy.$ docker pull <dependency_proxy_prefix>/alpine:latest
- The pull operation is allowed and works.
Solution
Apply a solution similar to https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2470:
- The dependency proxy authentication service should check for the
read_dependency_proxy
permission on the group policy using the target group. - The group policy should be updated with lines similar to these.
- Use that condition to allow
read_dependency_proxy
. Similar to these.
- Use that condition to allow
- Update the EE group policy to prevent
read_dependency_proxy
when the IP restriction is triggered.
Because this can break the dependency proxy access, we need to be cautions on how to deploy this. This is the same situation as in https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2470, thus we can use the same approach on deployment.