Skip to content

Exclude protected variables from multi-project pipeline bridge triggers

Dmytro Biryukov requested to merge dbiryukov_fix_vars_expansion_mr-419844 into master

What does this MR do and why?

Pipeline triggers allow pipelines in one project to trigger pipelines in another, GitLab offers an option to pass pipeline variables to the triggered pipelines (and of course, no protected vars should be passed). So protected variables can't be passed to the triggered pipelines unless a project/group owner/maintainer wants to (through hard-coding it). However, a developer with merge access to the main can still do that.

This merge request filters out protected variables, preventing them from being passed to the downstream job.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
image image

How to set up and validate locally

  1. Create attacker user and with that user create a project attacker_disclose_proj with following .gitlab-ci.yml 
leak:  
    script:  
        - echo $MY_VAR  
        - echo $VAR
  1. Create victim user and with that user create a victim_group and victim_project under this group with the following .gitlab-ci.yml 
  build:  
    script:  
        - echo "$VAR"  
        - echo "Building app..."

trigger-job:  
  trigger:   
    project: attacker/attacker_disclose_proj  
    forward:  
      pipeline_variables: true
  1. Define a protected variable VAR in victim_group with the value this is a secret
  2. Invite the victim as maintainer to the attacker project (using attacker user)
  3. Invite the attacker as developer to the victim project (using victim user) and allow developers to merge to main, Project Settings => Repository => Protected branches
  4. Verify that the pipeline is triggered, the variable is printed in the logs, navigate to the pipeline of the attacker's project, and verify that the variable is passed to the attacker's pipeline (i.e. the variable is printed in the logs) if the fix is not applied or like versa.
  5. Run a pipeline using attacker user on victim project injecting secret $VAR into pipeline variables:

image

  1. Switch ON a feature flag and test the fix ::Feature.enable(:exclude_protected_variables_from_multi_project_pipeline_triggers)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Dmytro Biryukov

Merge request reports