Skip to content

Private job artifacts can be accessed by any user

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2456845 by js_noob on 2024-04-09, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

Hello team, a user in a project can set the artifacts of a job to be private so they're not accessible by any unauthorized user, from the docs:

To deny read access to artifacts in public pipelines for anonymous, guest, and reporter users, set artifacts:public to false

This is working as expected in the UI and the API, however, anonymous unauthorized users can still access those private artifacts using the needs keyword, in another pipeline.

NB: The following POC just shows a simple example of a static value, however, artifacts especially the env one usually contain confidential variables/info.

Steps to reproduce

As the victim:

  1. Create a new group and apply the ultimate trial to it
  2. Create a public project in that group
  3. Create a .gitlab-ci.yml file in that project, this job creates an ENV artifact, that's private and isn't accessible by unauthorized
build_vars:  
  stage: build  
  script:  
    - echo "BUILD_VERSION=hello" >> build.env  
  artifacts:  
    reports:  
      dotenv: build.env  
    public: false
  1. When the pipeline finishes, verify the creation of a new artifact

Screenshot_2024-04-10_at_12.38.24_AM.png

As the attacker:

  1. Navigate to that project's artifacts page and verify that you can't download the .env artifact
  2. Create a new group, and apply the ultimate trial to it
  3. Create a project in that group, with the following .gitlab-ci.yml file
my_job:    
  script:    
    - echo "$BUILD_VERSION"  
  needs:  
    - project: VICTIM/PROJECT  
      job: build_vars  
      ref: main  
      artifacts: true
  1. Notice the triggered pipeline, it should contain the value of the BUILD_VERSION variable that's saved in a private artifact
Example

Screen_Recording_2024-04-10_at_12.48.55_AM.mov

What is the current bug behavior?

Private artifacts are accessible using the needs keyword.

What is the expected correct behavior?

Private artifacts shouldn't be accessible using the needs keyword.

Output of checks

This bug happens on GitLab.com

Impact

Disclosure of private job artifacts to unauthorized users.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: