Prefill variables do not check permission of the project in external CI config

Summary

An attacker can access other projects' top-level YAML variables which use description via using external CI config and prefill variables.

I found this vulnerability when working on #353456 (closed).

The vulnerability was introduced by #336184 (closed) in v14.4.

p.s. this does not affect the new GraphQL endpoint because we missed the implementation of this external project feature (!93387 (merged)).

Steps to reproduce

  1. Project 1: Private, has a .gitlab-ci.yml file with some top-level YAML variables.
variables:
  VAR1:
    value: my secret 1
    description: this is my var 1
  VAR2: my secret 2

test:
  script: exit 0
  1. Project 2: Public/Private, has an external "CI/CD configuration file".

Screenshot_2022-08-30_at_14.39.42

  1. In Project 2, open the Pipeline Run page and see;

Screenshot_2022-08-30_at_14.40.47

Possible fixes

  1. Move the external project logic from app/controllers/projects/pipelines_controller.rb to app/services/ci/list_config_variables_service.rb.
  2. Use the same logic in lib/gitlab/ci/pipeline/chain/config/content/external_project.rb.
Edited by Furkan Ayhan