Return false on admin condition if an user authenticated with a job token
Related to: https://gitlab.com/gitlab-org/gitlab/-/issues/474775
Rollout issue: #495627 (closed)
What does this MR do and why?
Requests authenticated using CI_JOB_TOKEN
should be considered untrusted by default. If the CI_JOB_TOKEN
of an instance admin is leaked it could give the attacker a catastrophic permission escalation. This could happen if we have holes in the system that would allow an attacker to do more than what's expected for a CI_JOB_TOKEN
This MR removes CI_JOB_TOKEN
from the admin condition in base policy.
Edited by Dmytro Biryukov