User with developer role (group) can leak group CI/CD variables through GitLab project import using tags protection
HackerOne report #1940141 by js_noob on 2023-04-09, assigned to @greg:
Report | Attachments | How To Reproduce
Report
Summary
Hello team, a user with a developer role (group) can steal protected group/project CI/CD variables by adding protected tags on a project, exporting it, and then importing it into a group where he has a developer role, the protection gets imported as it is. This is done with no victim interaction needed.
Steps to reproduce
- Create 2 accounts
- Create a group with account A and masked CI/CD group variables (Group settings -> CI/CD -> Variables)
- Create a personal project with account B and add
.gitlab-ci.ymlfile with the following content
image: ruby:latest
job_name:
script:
- echo $VAR - In the same project from account B create tags protection (Project settings -> Repository -> Protected tags), with the following
v*and `Developers + Maintainers
- Export the project and save the tar/zip file
- Invite account B (developer) to account A's (owner) group
- Upload the project file (from step 5) to account A's group with account B
- Create a new release in the newly created/imported project with the following
- tag:
v.1.0.0 - Release title:
v.1.0.0
- tag:
- Verify the successful creation, navigate to the job/pipeline logs and verify the group CI/CD vars being leaked
Expected Behavior
Protected tags should either be blank by default or just be limited to maintainers (this is done for protected branches).
Video/POC
Redacted
Impact
Users with developer role (group) can steal masked group and project CI/CD variables
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section:

