Skip to content

Bypass predefined vars

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2125189 by ali_shehab on 2023-08-27, assigned to @rshambhuni:

Report | How To Reproduce

Report

Summary

Hi team. An admin can set that only maintainer and owner can bypass predefined variables. If you put it to true, when a developer tries to override manually he will get an error, however, this is bypassable by rest API

Steps to reproduce
  1. Create a group and a project in the group.
  2. Add this .gitlab-ci.yaml file to the project and lock this file.
stages:    
  - build  
  - owner-only

build:    
  stage: build    
  image: ubuntu    
  script:    
    - echo "This is a normal job..."

owner-only:  
  stage: owner-only  
  image: ubuntu  
  script:  
    - echo "This should only run is the pipeline was triggered by ali_shehab"  
  rules:  
    - if: '$GITLAB_USER_LOGIN == "ali_shehab"'  
  1. This means that owner-only job will only be triggered if the pipeline trigger is ali_shehab.
  2. Disable overriding variables:
curl -X PUT -H "PRIVATE-TOKEN: TOKEN" "https://gitlab-private.net/api/v4/projects/16?restrict_user_defined_variables=true"  
  1. Now invite user B with a developer role.
  2. Now user B create a schedule pipeline.
  3. He send this api request to add variables to the schedule pipeline.
curl --request POST --header "PRIVATE-TOKEN:  TOKEN" "https://gitlab.com/api/v4/projects/{project}/pipeline_schedules/{pipeline_scheduleus}/variables?key=GITLAB_USER_LOGIN&value=ali_shehab"  
  1. Now he run the schedule and he overrides the prededined vars.

Impact

Able to bypass predefined variables even if only the maintainer and developers are allowed.

How To Reproduce

Please add reproducibility information to this section: