ESCALATED: Deploy tokens with read_repository scope are allowed to access the docker registry

HackerOne report #687272 by xanbanx on 2019-09-03, assigned to jmatos_bgtvf:

Hi GitLab security team,

Summary

Deploy tokens can have read_repository and read_registry scopes. A token that only allows the read_repository and not the read_registry scope can be used to access the docker registry.

Steps to reproduce

1. Create a project
2. Create a deploy token with a username and only read_repository scope
3. Using that token, login to the docker registry via `docker login registry.gitlab.example.com -u -p

▶ docker login registry.example.gitlab.com -u <deploy-token-user> -p <deploy-token>  
WARNING! Using --password via the CLI is insecure. Use --password-stdin.  
WARNING! Your password will be stored unencrypted in /home/rschilling/.docker/config.json.  
Configure a credential helper to remove this warning. See  
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded  

Impact

This gives unauthorized users access to the docker registry. Furthermore, there is no auditing. So you do not know that a unprivileged token was used to access the registry.

What is the current bug behavior?

Deploy tokens without read_registry scope can be used to access the docker registry.

What is the expected correct behavior?

Deploy tokens without read_registry scope *cannot be used to access the docker registry.

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com

Best regards,
Xanbanx

Impact

See above.