A developer can disclose group/project protected CI/CD vars using MRs approvals conflicts broken logic

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2078069 by js_noob on 2023-07-20, assigned to @cmaxim:

Report | Attachments | How To Reproduce

Report

Summary

Hello team, for a developer to be able to disclose the protected CI/CD vars he should have to merge and push access to a project. However, even without those, there is some broken logic in the MRs approvals where it allows him to bypass all approvals logic and merge his evil code which allows him to disclose the vars.

Steps to reproduce

As an owner:

1. Create a new group and apply the ultimate trial to it
2. Add a developer to the group
3. Add a protected var in that group, Group Settings => CI/CD => Variables

3. Create a new project in that group, and add a .gitlab-ci.yml file with the following content

build:  
    script:  
        - echo "This is safe..."  

4. Allow developers to merge MRs, Project Settings -=> Repository => Protected branches

5. Add MR approval rule to require 2 approvals before merging any MR, Project Settings => Merge requests => Merge request approvals

6. On the same page, make sure Prevent approval by author is checked. Now no MRs should be merged unless approved by both members, right?

As the developer:

7. Edit .gitlab-ci.yml to match the following

build:  
    script:  
        - echo "This is safe..."  
        - echo $VAR  

8. Create a merge request, and verify that you can merge it (knowing that the logic that should be here, is that now it should require 1 approval)
9. Merge it, navigate to the pipeline logs, and verify that the protected variable is disclosed

The developer in this case is trusted to merge MRs, that are approved by the owner (requires 2 approvals dev + owner), however, he was able to bypass this and merge a MR without the owner's approval, allowing him to run any code on protected branches (main in this case).

The expected logic, in this case, is requiring 1 approval not 2, as the other member that should approve is the MR author, while here it required 0 approvals.

Examples/POC

bandicam_2023-07-20_21-21-47-081.mp4

Output of checks

This bug happens on GitLab.com

Impact

A developer can disclose project/group protected CI/CD variables.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• bandicam_2023-07-20_21-21-47-081.mp4
• image.png
• image.png
• image.png

How To Reproduce

Please add reproducibility information to this section: