Protected Tags Bypass Using Deploy Keys

HackerOne report #1788273 by vaib25vicky on 2022-11-29, assigned to @rshambhuni:

Report | Attachments | How To Reproduce

Report

Summary

Deploy keys with write access are not restricted and they can bypass protected tags rules. This works even if the owner of the key is removed from the project.

Steps to reproduce

Lets there be two maintainers foo and bar

1. foo maintainer add a protected tag rules with wildcard v* and allow NO ONE to create that tags
2. bar maintainer creates a deploy key with write access to the project
3. bar maintainer clone the project and push the protected tag

git clone git@gitlab.com:<namespace>/<project>.git
cd <project>
git tag v123
git push origin v123

4. v123 will be created on Gitlab.com with protected label
5. Also remove bar maintainer while leaving his key then again he will be able to push protected tags

Impact

There are attack scenarios where this can be harmful

1. Accidental creation of tags or releases by the development teams using deploy keys can harm and push unchecked code to the deployment server
2. Suppose a project has used all the security restriction such as protected branch rules, push rules , protected tags rules. etc. Then in the event of deploy keys compromised, attacker can't used it for much except bypassing protected tags rules.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• d1.png

How To Reproduce

Please add reproducibility information to this section: