Force pipelines to not have access to protected variables and will likely fail

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1932805 by js_noob on 2023-04-03, assigned to @fvpotvin:

Report | Attachments | How To Reproduce

Report

Summary

Hello team, a developer can force all pipelines from the main branch to not have access to protected CI/CD variables and will likely force them to fail.

Steps to reproduce

As an owner do the following:

1. Create a project
2. Add a couple of variables /-/settings/ci_cd lets call them VAR_1 and VAR_2
3. Add .gitlab-ci.yml file containing the following:

image: node:latest

stages:    
  - build

build-job:    
  stage: build    
  script:    
    - echo $VAR_1  
    - cat $VAR_2  

4. Add any commit and navigate to the pipeline logs and verify that the variables are logged
5. Add a developer member

As the developer do the following:

1. Clone the repo locally git clone <repo>
2. Create a new branch named refs/heads/main; git checkout -b 'refs/heads/main'
3. Delete .gitlab-ci.yml file and commit the changes
4. Push the branch to remote git push origin HEAD

As an owner do the following:

1. Add any changes and commit
2. Navigate to the pipeline logs and verify that the vars are empty and not logged

Video/POC

bandicam_2023-04-03_21-24-20-196.mp4

Impact

Pipelines on main will not have access to protected variables leading them to fail.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• bandicam_2023-04-03_21-24-20-196.mp4

How To Reproduce

Please add reproducibility information to this section: