Bypassing push rules via repository mirrors
HackerOne report #684724 by xanbanx
on 2019-08-29, assigned to gitlab_cmaxim
:
Hi GitLab Security Team,
Summary
GitLab EE has the feature of so-called push rules. An administrator, or more fine-grained per project, the owner can create certain push rules. The goal of these push rules is avoiding to push certain commits to the repository, which violate one of the push rules. If a commit violating one of the push rules is pushed to the repository, a pre-check gets executed, which decides a commit attempt should be rejected. Therefore, the user gets an error message indicating the commit does not follow the rules.
On the other hand, GitLab has the ability to mirror a repository from a different repository. GitLab periodically pulls the repo from a remote location to the local GitLab repository.
Here, the problem arises. When mirroring a remote repository, GitLab does not check for the push rules. An arbitrary commit can be pulled from the remote repo bypassing any push rule set up globally be the GitLab administrator or locally be the project owner.
Steps to reproduce
- Create a repository and enable the following push rules under
https://example.gitlab.com/<namespace>/<project>/settings/repository
:
- Check Committer restriction
- Check Reject unsigned commits
- Check Check whether author is a GitLab user
- Check Prevent committing secrets to Git
- Change Commit message to
Fixes \d+\..*
- Change Commit message negative match to
ssh\:\/\/
- Change Commit author's email to
@example.com$
- Change Prohibited file names to
(jar|exe)$
- Set up a mirror repository under
https://example.gitlab.com/<namespace>/<project>/settings/repository
with directionpull
. If the repo is public you don't need to set up any authentication method. - On the remote mirror create a commit with a user, who is not on GitLab, and an email not matching the push rule above
- Add a file named
id_rsa
- Add a file named
test.exe
- Name the commit message
Bypassing push rules ssh://foo.bar
- Wait until the repo is mirrored
You now see that the commit from the remote repo is pushed to the GitLab project and thereby is bypassing al the setup push rules from above.
The only push rule, which seems to be enforced is the branch name push rule.
Impact
This allows anyone to bypass push rules set up by an administrator or project owner. This can lead to secrets being pushed to the repo, commits created by unknown users, etc
Examples
I have added the push rules as described above to an example repo and added a mirror repo. You can view the result at https://gitlab.com/wter23/test-push-rules-mirror
What is the current bug behavior?
GitLab accepts and pushes commits from a mirrored repo, which violate a set up push rule.
What is the expected correct behavior?
GitLab should reject commits from mirrored repos, which violate a push rule.
Relevant logs and/or screenshots
Output of checks
This happens on gitlab.com
Best,
Xanbanx
Impact
See above.