Developers can create pipeline schedules on protected branches even if they don't have access to merge by creating a matching tag
HackerOne report #2264595 by js_noob
on 2023-11-26, assigned to @ngeorge1:
Report | Attachments | How To Reproduce
Report
Summary
Hello team, as a part of the branch protection rules, developers should not be able to run or schedule pipelines on branches they don't have merge permissions to. From the docs
The schedule owner must have the Developer role. For pipelines on protected branches, the schedule owner must be allowed to merge with the branch.
However, a developer can bypass this condition.
This is a bypass of https://hackerone.com/reports/2089517
Steps to reproduce
As an owner:
- Create a project
- Create a new branch called
protected
- Navigate to https://gitlab.com/OWNER/PROJECT/-/settings/repository#js-protected-branches-settings and set
Allowed to merge
andAllowed to push and merge
toMaintainers
on theprotected
branch
- Add a developer to the project
As the developer
- Navigate to https://gitlab.com/OWNER/PROJECT/-/pipeline_schedules/new
- Try creating a pipeline schedule on
protected
and verify the error - Create a new tag called
protected
- Navigate back to https://gitlab.com/OWNER/PROJECT/-/pipeline_schedules/new, create a schedule on the
protected
branch, and intercept the request. The body of the request should look something similar to the following
{"operationName":"createPipelineSchedule","variables":{"input":{"description":"test","cron":"5 9 * * *","cronTimezone":"Etc/GMT+12","ref":"refs/tags/v1","variables":[],"active":true,"projectPath":"jawadneeme1/poc-project-12871"}},"query":"mutation createPipelineSchedule($input: PipelineScheduleCreateInput!) {\n pipelineScheduleCreate(input: $input) {\n clientMutationId\n errors\n __typename\n }\n}\n"}
- In the
ref
field remove therefs/tags
orrefs/heads
from the ref, and only keepprotected
- Verify the success
- Delete the
protected
tag - Verify that the created schedule is on the
protected
branch
POC
bandicam_2023-11-26_22-24-43-585.mp4
Impact
Developers with no merge access can create pipeline schedules on protected branches.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: