User with Developer role on a group can import a project with tag allowing him/her to steal CI/CD variables
HackerOne report #2783176 by salh4ckr on 2024-10-16, assigned to @ngeorge1:
Report | Attachments | How To Reproduce
Report
Hello team,
A user with a group member with developer role can steal protected group/project CI/CD variables, via importing a project with protected tag to victim group,
This issue was priviously found by another researcher on gitlab.com, about a year ago,#407782 (closed)
it was fixed by preventing developers be able to import projects and resetting repository setting on protected tags, but it looks like now on self hosted instance is vulnerable to same issue.
Steps to reproduce
1.Create 2 accounts
As Owner(victim)
-
Create a group A
-
In group A and go to settings>CI/CD and set variables
-
Invite user with developer role
As Developer(attacker)
5.Create group B
6.Create project B in group B
- add .gitlab-ci.yml file with the following content
image: ruby:latest
job_name:
script:
- echo $VAR
-
Create tag.
-
from repository setting protect tag and allow Developer+Maintainer to create.
-
from project settings export a project.
-
import project B in group A, you can use group B to get project import endpoint as shown in video
12.After importing a project you will receive 404 Not found but it is imported you can find it under group A
- Now create a pipeline using tag you created.
14.navigate to the job/pipeline logs and verify the group CI/CD vars being leaked
Video_poc
VAR_POC.mp4
Impact
a malicious User with Developer role can import a project with tag allowing him/her to steal CI/CD variables
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: