Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #363827
Closed
Open
Issue created May 31, 2022 by David Fernandez@10io🔴Maintainer

IP allow-list bypass when using Deploy Keys/Tokens to access the Dependency Proxy

🛡 Context

This issue was discovered when investigating the blast radius of https://gitlab.com/gitlab-com/gl-infra/production/-/issues/7149.

All related issues are confidential so this one is confidential too.

🔥 Problem

Groups access can be restricted by IP. See https://docs.gitlab.com/ee/user/group/#restrict-group-access-by-ip-address.

That restriction doesn't seem to be applied with Deploy Token pulling images through the Dependency Proxy.

We had a similar issue with the Container Registry access. See https://gitlab.com/gitlab-org/gitlab/-/issues/363651.

👣 Steps to reproduce

  1. Have GDK ready with registry support and a premium tier license.
  2. Create a Group.
  3. Enforce IP 200.200.200.200 or any IP that your computer doesn't have.
  4. Create a Group deploy token.
  5. Set up the Dependency Proxy.
  6. Pull a dummy image (such as alpine:latest) through the Dependency Proxy.
    $ docker pull <dependency_proxy_prefix>/alpine:latest
  7. The pull operation is allowed and works. 💥

🚒 Solution

Apply a solution similar to https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2470:

  • The dependency proxy authentication service should check for the read_dependency_proxy permission on the group policy using the target group.
  • The group policy should be updated with lines similar to these.
    • Use that condition to allow read_dependency_proxy. Similar to these.
  • Update the EE group policy to prevent read_dependency_proxy when the IP restriction is triggered.

Because this can break the dependency proxy access, we need to be cautions on how to deploy this. This is the same situation as in https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2470, thus we can use the same approach on deployment.

Edited Jul 13, 2022 by David Fernandez
Assignee
Assign to
Time tracking