Skip to content

Backend: Pipelines will not have access to protected variables and will likely fail when using tags

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2055158 by js_noob on 2023-07-07, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

This seems to be a bypass of #406843 (closed)

Hello team, a developer can force all pipelines from the main branch to not have access to protected CI/CD variables and will likely force them to fail. This is similar to #1932805, I believe this is a different root cause, as the original is fixed.

Note: I reported this earlier in #1932805 but it was closed as duplicate on the above report, GitLab team mentioned that I re-open that report if the original was fixed and the issue persists, obviously I can't re-open reports so I am reporting it as a new report.

Steps to reproduce

As an owner:

  1. Create a new project
  2. Add a protected CI/CD variable
  3. Add a .gitlab-ci.yml with the following content
image: node:latest

stages:  
  - build

build-job:  
  stage: build    
  script:    
    - echo $VAR  
  1. Watch the pipeline logs and verify that the variables is printed
  2. Add a developer to the project

As the developer:

  1. Clone the project locally
  2. Delete the .gitlab-ci.yml file
  3. Commit the changes
git add .    
git commit -m 'delete ci-cd'   
  1. Grab the hash of the final commit using the following command
git rev-parse HEAD  
  1. Create a tag with the name of refs/heads/main pointing to the latest commit
git tag 'refs/heads/main' HASH_FROM_STEP_9  
  1. Push the tags to the remote
git push origin --tags   

As the owner:

  1. Run a new pipeline and verify that the var is not printed
Video/POC

Deleted as video does not work

Impact

Pipelines on main will not have access to protected variables leading them to fail, this will also cause DOS which blocks owners from deleting this malicious tag.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Edited by Laura Montemayor