Return false on admin condition if an user authenticated with a job token (!167449) · Merge requests · GitLab.org / GitLab

Dmytro Biryukov requested to merge dbiryukov_prevent_job_token_from_admin_permissions_mr-474775 into master Sep 27, 2024

Rollout issue: #495627

What does this MR do and why?

Requests authenticated using CI_JOB_TOKEN should be considered untrusted by default. If the CI_JOB_TOKEN of an instance admin is leaked it could give the attacker a catastrophic permission escalation. This could happen if we have holes in the system that would allow an attacker to do more than what's expected for a CI_JOB_TOKEN

This MR removes CI_JOB_TOKEN from the admin condition in base policy.

Edited Sep 27, 2024 by Dmytro Biryukov

Return false on admin condition if an user authenticated with a job token

What does this MR do and why?

Merge request reports