Private artifacts of a public project are accessible via the jobs API for any authenticated user
HackerOne report #2780353 by albatraoz on 2024-10-14, assigned to @greg:
Report | Attachments | How To Reproduce
Report
Summary
According to the documentation:
To deny read access to artifacts in public pipelines for anonymous, guest, and reporter users, set artifacts:public to false:
https://docs.gitlab.com/ee/ci/yaml/#artifactspublic
It was observed that any authenticated user could access and download artifacts in the public pipelines even If the artifacts' public flag is set to false in the CI/CD config.
Steps to reproduce
- As a victim account A, create a public GitLab project in a Gitlab group with ultimate license.
- Now add the following content to the .gitlab-ci.yml file in the repository to create a CI/CD pipeline with private artifacts.
test:
script: ["echo $CI_JOB_TOKEN > secret.txt"]
artifacts:
paths: ['secret.txt']
public: False - Now with an attacker account B, try to access the job artifacts, the access would be denied.
- As an attacker account B, open the following URL on the browser. Replace the JOB_ID with the job id of the pipeline from step 2.
https://gitlab.com/api/v4/jobs/[JOB_ID]/artifacts?artifact_format=zip&artifact_type=archive - A file would be downloaded. Just rename the file to a zip file and extract it. You will see that you can access and download artifacts as you can read the content of the secret.txt file.
POC
<redacted>
Impact
Accessing private artifacts of public pipelines in GitLab can expose sensitive information, such as secrets, credentials, or proprietary code, leading to unauthorized access.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
- <redacted>
How To Reproduce
Please add reproducibility information to this section: