Backend: Leaking CI variables via fork MRs
Summary
This confidential security issue is an SSOT for all of the nearly identical work that needs to happen in:
The related issues list
All these issues have the same baseline; forked MR and running YamlProcessor;
- Attacker forks a public project
- Attacker makes changes to gitlab-ci.yml to leak variables and create an MR to the public project
- Attacker sends one of these links to a project member;
-
#393054 (closed) -> blob page of gitlab-ci.yml with the attacker sha (
BlobViewer::GitlabCiYml) -
#394964 (closed) -> CI editor page with the attacker sha (
Ci::Lint) -
#416255 (closed) -> new pipeline page with the attacker sha (
Ci::ListConfigVariablesService)
-
#393054 (closed) -> blob page of gitlab-ci.yml with the attacker sha (
- Backend runs
Gitlab::Ci::YamlProcessorand leaks the unprotected variables by fetching external includes.
Proposal
Two options were recently shared to fix this problem in #394964 (comment 1437662805)
Additional details
Some relevant technical details, if applicable, such as:
- Does this need a feature flag?
- Does there need to be an associated instrumentation issue created related to this work?
- Is there an example response showing the data structure that should be returned (new endpoints only)?
- What permissions should be used?
- Is this EE or CE?
-
EE -
CE
-
- Additional comments:
Links/References
Edited by Mark Nuzzo