Project (and Group) Access Tokens do not have their Read permissions correctly scoped - Internal projects can be accessed
Summary
The interaction between Project (and Group) Access Tokens and projects with Internal
visibility is valid, but unexpected. Namely, any Project Access Token can be used to clone any Internal
visibility project on the instance.
Steps to reproduce
- Create a project with visibility set to
Internal
- Create a Project Access Token from any other project on the instance
- Use the token to clone the original project (e.g.
git clone https://oauth2:<token>@gitlab.test.lab/bmendric/internal-project.git
)
Example Project
Internal
group/project visibility is only available on self-hosted GitLab instances, so I have no way to provide an example project.
What is the current bug behavior?
The "bug" in this instance is that the Project Access Token is allowed to clone repositories with which it is not associated
What is the expected correct behavior?
Technically, according to the documentation on Internal
project/group visibility the current behavior is expected, since the Project Access Token is a valid, authenticated "user" to the instance. However, I would have intuitively expected this action to be blocked.
I believe the goal of a Project Access Token is to grant some external, potentially less secure entity/environment, access to a specific project. Allowing that token access to all Internal
repositories poses some amount of a security risk in opposition to that goal.
Relevant logs and/or screenshots
N/a -- Can provide on request
Output of checks
Results of GitLab environment info
Results of GitLab application Check
Expand for output related to the GitLab application check
The output of these commands doesn't seem relevant to the request and also does not function correctly when executed in the context of a GitLab Toolbox container within a Kubernetes deployment. If this information is pertinent to the bug report, I am happy to provide the output with context of the correct commands to run for a Kubernetes deployment.
Possible fixes
N/a