IP Group enforcement regression in the Package Registry
🔥 Problem
In https://gitlab.com/gitlab-org/gitlab/-/issues/363863, we fixed a security vulnerability where the group IP enforcement was not properly respected by the Package Registry.
(A) The fix used there was quite simple: if there is an IP enforcement violation, then we simply remove all package registry permissions. See https://gitlab.com/gitlab-org/gitlab/-/blob/8287b24dca55519deec457aea4b25846463b0e98/ee/app/policies/ee/project_policy.rb#L423 and https://gitlab.com/gitlab-org/gitlab/-/blob/8287b24dca55519deec457aea4b25846463b0e98/ee/app/policies/ee/group_policy.rb#L415.
(B) On the other hand, we have a community effort around this issue. Among the changes, we needed to put more conditions on how read_package
is evaluated and granted by policies. Because of this rule, we were forced there to create package dedicated policies for project and group. These policies are super simple: for read_package
use my rules, for everything else, use the project/group policy.
(A) was deployed in %15.3 and (B) in %15.4.
Now guess what happens when (A) and (B) are together? Yeah,
Group IP enforcement is again not respected from %15.4 for the read_package
permission which is the one permission used when pulling packages.
In few words: this is a security issue regression.
🚒 Solution
- Update the package dedicated policies to properly deny
read_package
if a group ip violation is detected.- Defense in depth: go further and simply deny all
*_package
permissions. -
⚠ the project policy was updated for %15.6 in !100260 (merged). So we don't need the changes for the project policy object in themaster
branch MR.
- Defense in depth: go further and simply deny all
- Update the specs.
- This went out of the radar of the specs because the group ip logic was assert on policy specs but this time around, we want to make sure that this regression can't pop up again.
- For the above, simply add spec examples at the request specs level for the package registry. If possible for all package formats.
🙏 Thanks
Credits where they are due.
The above was discovered in a Community contribution (from @wwwjon
) where a job failed on spec trying to pull a PyPI package from a group ip restricted project.