Unauthorized Access to Job Data via GraphQL Parent Authorization `getJobTraceHtmlSummary` query
HackerOne report #2972576 by pwnie on 2025-02-04, assigned to @ameyadarshan:
Report
Vulnerability Report: Unauthorized Access to Terraform Job Data via GraphQL Parent Authorization
Summary
A critical flaw in the GitLab GraphQL API allows unauthorized users to retrieve sensitive Terraform state job details. Instead of enforcing authorization at the job level, the endpoint relies solely on parent type checks. This misconfiguration lets users with minimal (custom guest) permissions access confidential job traces, manual CI/CD variables, and even traverse through previous job stages—potentially exposing the entire pipeline's sensitive data.
Steps to Reproduce
-
Create a GitLab Group with Ultimate License:
- Sign up for an Ultimate license trial at GitLab Free Trial.
- Create a new group under this trial.
-
Establish a Custom Role:
- Within the group, define a custom role based on the Guest level.
- Grant the additional permission
admin_terraformto this custom role.
-
Set Up a New Project:
-
Create a new project under the group.
-
Add the following
.gitlab-ci.ymlto configure a Terraform state upload job:stages: - upload upload_terraform_state: stage: upload image: curlimages/curl:latest script: - 'echo "{\"version\": 4, \"terraform_version\": \"1.0.0\", \"resources\": []}" > state.tfstate' - > curl --fail --user "gitlab-ci-token:$CI_JOB_TOKEN" \ -X POST "https://gitlab.com/api/v4/projects/${CI_PROJECT_ID}/terraform/state/example?serial=1" \ --data-binary "[@]state.tfstate" only: - main
-
-
Trigger the Pipeline:
- Commit the changes to start the pipeline.
- Wait for the job to finish executing.
-
Invite an Attacker Account:
- Add a second GitLab account to the project, assigning it the newly created custom role.
-
Restrict Pipeline Visibility:
- Before proceeding, ensure that the project's pipeline visibility is set to private so that pipelines aren’t displayed to unauthorized users.
-
Confirm Limited Pipeline Access:
- Log in with the second (attacker) account and verify that the pipelines list is not visible in the UI.
-
Access the GraphQL Explorer:
- Open the GitLab GraphQL Explorer.
-
Execute the Vulnerable Query:
-
Paste the following GraphQL query into the explorer:
query getJobTraceHtmlSummary( $projectPath: ID! $first: Int $last: Int $before: String $after: String ) { project(fullPath: $projectPath) { terraformStates(first: $first, last: $last, before: $before, after: $after) { nodes { latestVersion { job { trace { htmlSummary } } } } } } } -
In the variables section, provide appropriate values (for example):
{ "projectPath": "ultimate_0001/need_dos", "first": 25, "after": null, "last": null, "before": null }
-
-
Observe the Exploit:
- Execute the query. Notice that the job trace (
htmlSummary) is returned despite the attacker's limited access. - Additionally, be aware that manual CI/CD variables and jobs from previous stages (accessible via fields like
previous_stage_jobs) can also be retrieved. This enables both backward and forward traversal through the pipeline, significantly expanding the potential attack surface.
- Execute the query. Notice that the job trace (
Impact
- Unauthorized Data Exposure: Attackers with minimal permissions can access sensitive job traces and CI/CD variables, including details from Terraform state uploads.
- Pipeline Traversal: The ability to traverse previous and potentially future job stages means that attackers might extract confidential data from multiple jobs within the pipeline.
- Broader Security Risks: This flaw can expose sensitive infrastructure details, secrets, and internal operational data, which could be used to further compromise systems or perform targeted attacks.
Components Affected
- GraphQL API Authorization: The authorization mechanism on the job-level entities in the GraphQL API is insufficient, relying entirely on parent object checks.
- Terraform State Upload Endpoint: Sensitive job data related to Terraform state uploads is exposed.
-
Related Job Fields: Fields such as
previous_stage_jobsand potentially those related toneedsallow unauthorized traversal across the entire pipeline.
Recommendation
- Implement Independent Authorization Checks: Modify the GraphQL API to enforce granular authorization on the job-level entities. Each job should verify the requester's permissions independently, regardless of parent type authorization.
-
Restrict Field Exposure: Limit the exposure of sensitive fields such as
htmlSummary, manual variables, and job traversal fields (previous_stage_jobsand similar) to only those users with explicit permissions. - Adopt a Defense-in-Depth Approach: Review and enhance the authorization model across the API to ensure that sensitive data remains protected even if higher-level access controls are bypassed.
By addressing these issues, GitLab can significantly reduce the risk of unauthorized data exposure and ensure that only appropriately privileged users can access sensitive CI/CD and Terraform state job information.
Impact
- Unauthorized Data Exposure: Attackers with minimal permissions can access sensitive job traces and CI/CD variables, including details from Terraform state uploads.
- Pipeline Traversal: The ability to traverse previous and potentially future job stages means that attackers might extract confidential data from multiple jobs within the pipeline.
- Broader Security Risks: This flaw can expose sensitive infrastructure details, secrets, and internal operational data, which could be used to further compromise systems or perform targeted attacks.
How To Reproduce
Please add reproducibility information to this section: