User with developer role (group) can leak group CI/CD variables through GitLab project import using tags protection

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1940141 by js_noob on 2023-04-09, assigned to @greg:

Report | Attachments | How To Reproduce

Report

Summary

Hello team, a user with a developer role (group) can steal protected group/project CI/CD variables by adding protected tags on a project, exporting it, and then importing it into a group where he has a developer role, the protection gets imported as it is. This is done with no victim interaction needed.

Steps to reproduce
  1. Create 2 accounts
  2. Create a group with account A and masked CI/CD group variables (Group settings -> CI/CD -> Variables)

image.png

  1. Create a personal project with account B and add .gitlab-ci.yml file with the following content
image: ruby:latest

job_name:    
 script:    
   - echo $VAR   
  1. In the same project from account B create tags protection (Project settings -> Repository -> Protected tags), with the following v* and `Developers + Maintainers

image.png

  1. Export the project and save the tar/zip file
  2. Invite account B (developer) to account A's (owner) group
  3. Upload the project file (from step 5) to account A's group with account B
  4. Create a new release in the newly created/imported project with the following
    1. tag: v.1.0.0
    2. Release title: v.1.0.0
  5. Verify the successful creation, navigate to the job/pipeline logs and verify the group CI/CD vars being leaked
Expected Behavior

Protected tags should either be blank by default or just be limited to maintainers (this is done for protected branches).

Video/POC

Redacted

Impact

Users with developer role (group) can steal masked group and project CI/CD variables

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

Edited by Félix Veillette-Potvin