Overwriting/Deleting unintended secret variable via API calls
Summary
In the Gitlab frontend for the secret variables there is the restriction that a keyname must be unique per environment scope (so that we can use the same KEY for different environments like staging or production)… unfortunately the API does not support this as it only filters variables per keyname.
This means that unintentionally the wrong variables get overwritten or deleted.
Steps to reproduce
- Navigate in the frontend to Settings->CD/CD->Secret Variables
- Create two or more entries with the same Key Name but on different environments like
| Name | Value | Protected | Environment |
|---|---|---|---|
| Key1 | V1 | false | * |
| Key1 | V2 | true | production |
| Key1 | V3 | true | staging |
- Try to change the value of Key1 for the production environment via API
echo "my changed value" | jq -Mc -R --slurp '{"key":"Key1","value": .,"protected":true,"environment_scope":"production"}' | curl --header "Private-Token: $GITLAB_PAT" -H "Content-Type: application/json" -X POST --data @- "https://gitlab.com/api/v4/projects/$PROJECTID/variables" - check for changed value
Example Project
Some EE project on gitlab.com
What is the current bug behavior?
Wrong secret variable gets overwritten, e.g. the first one
What is the expected correct behavior?
Modify secret variable chosen by keyname and environment_scope
Relevant logs and/or screenshots
n.a.
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)
Possible fixes
- https://gitlab.com/gitlab-org/gitlab-ee/blob/master/lib/api/variables.rb#L33
- https://gitlab.com/gitlab-org/gitlab-ee/blob/master/lib/api/variables.rb#L81
- https://gitlab.com/gitlab-org/gitlab-ee/blob/master/lib/api/variables.rb#L107
To not have a breaking API change:
- If more than one variable with the key is existing, use the environment_scope information from the body.
- Update API docs with the a hint/note about this and provide a recipe how to update, delete entries if we have multiple variablesd with the same key.
The frontend seems to use a specific unique id when updating variables, could this be incorporated into the API?