Protected Tags Bypass Using Deploy Keys
HackerOne report #1788273 by vaib25vicky
on 2022-11-29, assigned to @rshambhuni:
Report | Attachments | How To Reproduce
Report
Summary
Deploy keys with write
access are not restricted and they can bypass protected tags rules. This works even if the owner of the key is removed from the project.
Steps to reproduce
Lets there be two maintainers foo
and bar
-
foo
maintainer add a protected tag rules with wildcard v* and allow NO ONE to create that tags -
bar
maintainer creates a deploy key with write access to the project -
bar
maintainer clone the project and push the protected tag
git clone git@gitlab.com:<namespace>/<project>.git
cd <project>
git tag v123
git push origin v123
-
v123
will be created on Gitlab.com with protected label - Also remove
bar
maintainer while leaving his key then again he will be able to push protected tags
Impact
There are attack scenarios where this can be harmful
- Accidental creation of tags or releases by the development teams using deploy keys can harm and push unchecked code to the deployment server
- Suppose a project has used all the security restriction such as protected branch rules, push rules , protected tags rules. etc. Then in the event of deploy keys compromised, attacker can't used it for much except bypassing protected tags rules.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section:
Edited by Rohit Shambhuni