Prefill variables do not check permission of the project in external CI config
Summary
An attacker can access other projects' top-level YAML variables which use description
via using external CI config and prefill variables.
I found this vulnerability when working on #353456 (closed).
The vulnerability was introduced by #336184 (closed) in v14.4.
p.s. this does not affect the new GraphQL endpoint because we missed the implementation of this external project feature (!93387 (merged)).
Steps to reproduce
- Project 1: Private, has a
.gitlab-ci.yml
file with some top-level YAML variables.
variables:
VAR1:
value: my secret 1
description: this is my var 1
VAR2: my secret 2
test:
script: exit 0
- Project 2: Public/Private, has an external "CI/CD configuration file".
- In Project 2, open the Pipeline Run page and see;
Possible fixes
- Move the external project logic from
app/controllers/projects/pipelines_controller.rb
toapp/services/ci/list_config_variables_service.rb
. - Use the same logic in
lib/gitlab/ci/pipeline/chain/config/content/external_project.rb
.
Edited by Furkan Ayhan