Force pipelines to not have access to protected variables and will likely fail
HackerOne report #1932805 by js_noob
on 2023-04-03, assigned to @fvpotvin:
Report | Attachments | How To Reproduce
Report
Summary
Hello team, a developer can force all pipelines from the main branch to not have access to protected CI/CD variables and will likely force them to fail.
Steps to reproduce
As an owner do the following:
- Create a project
- Add a couple of variables
/-/settings/ci_cd
lets call themVAR_1
andVAR_2
- Add
.gitlab-ci.yml
file containing the following:
image: node:latest
stages:
- build
build-job:
stage: build
script:
- echo $VAR_1
- cat $VAR_2
- Add any commit and navigate to the pipeline logs and verify that the variables are logged
- Add a developer member
As the developer do the following:
- Clone the repo locally
git clone <repo>
- Create a new branch named
refs/heads/main
;git checkout -b 'refs/heads/main'
- Delete
.gitlab-ci.yml
file and commit the changes - Push the branch to remote
git push origin HEAD
As an owner do the following:
- Add any changes and commit
- Navigate to the pipeline logs and verify that the vars are empty and not logged
Video/POC
bandicam_2023-04-03_21-24-20-196.mp4
Impact
Pipelines on main
will not have access to protected variables leading them to fail.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: