Backend: Pipelines will not have access to protected variables and will likely fail when using tags
HackerOne report #2055158 by js_noob
on 2023-07-07, assigned to GitLab Team
:
Report | Attachments | How To Reproduce
Report
Summary
This seems to be a bypass of #406843 (closed)
Hello team, a developer can force all pipelines from the main branch to not have access to protected CI/CD variables and will likely force them to fail. This is similar to #1932805, I believe this is a different root cause, as the original is fixed.
Note: I reported this earlier in #1932805 but it was closed as duplicate on the above report, GitLab team mentioned that I re-open that report if the original was fixed and the issue persists, obviously I can't re-open reports so I am reporting it as a new report.
Steps to reproduce
As an owner:
- Create a new project
- Add a protected CI/CD variable
- Add a
.gitlab-ci.yml
with the following content
image: node:latest
stages:
- build
build-job:
stage: build
script:
- echo $VAR
- Watch the pipeline logs and verify that the variables is printed
- Add a developer to the project
As the developer:
- Clone the project locally
- Delete the
.gitlab-ci.yml
file - Commit the changes
git add .
git commit -m 'delete ci-cd'
- Grab the hash of the final commit using the following command
git rev-parse HEAD
- Create a tag with the name of
refs/heads/main
pointing to the latest commit
git tag 'refs/heads/main' HASH_FROM_STEP_9
- Push the tags to the remote
git push origin --tags
As the owner:
- Run a new pipeline and verify that the var is not printed
Video/POC
Deleted as video does not work
Impact
Pipelines on main
will not have access to protected variables leading them to fail, this will also cause DOS which blocks owners from deleting this malicious tag.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!