IP Restriction Bypass Via Downstream Pipelines

A developer can bypass IP restriction of a group by using downstream pipelines. It allows the developer to trigger pipelines in the IP restricted group.

Assuming a group victim with project victim. It has its own runner that is not shared with any other group.

A developer of that group can just create another group attacker with project attacker. And trigger pipeline in the victim group using the following pipeline while bypassing the IP restriction of victim group.

trigger_job:
  trigger:
    project: victim/victim

The attacker group and victim group have nothing whatsoever related or shared.

Also, the attacker can pass in any variables while triggering the job in the victim project since this is natively supported by downstream pipeline.

Originally reported at Hackerone (3201818), the Gitlab Staff there recommended me to open a public issue here. So here I am 😄