ESCALATED: Deploy tokens with read_repository scope are allowed to access the docker registry
HackerOne report #687272 by xanbanx
on 2019-09-03, assigned to jmatos_bgtvf
:
Hi GitLab security team,
Summary
Deploy tokens can have read_repository
and read_registry
scopes. A token that only allows the read_repository
and not the read_registry
scope can be used to access the docker registry.
Steps to reproduce
- Create a project
- Create a deploy token with a username and only
read_repository
scope - Using that token, login to the docker registry via `docker login registry.gitlab.example.com -u -p
▶ docker login registry.example.gitlab.com -u <deploy-token-user> -p <deploy-token>
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /home/rschilling/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
Impact
This gives unauthorized users access to the docker registry. Furthermore, there is no auditing. So you do not know that a unprivileged token was used to access the registry.
What is the current bug behavior?
Deploy tokens without read_registry
scope can be used to access the docker registry.
What is the expected correct behavior?
Deploy tokens without read_registry
scope *cannot be used to access the docker registry.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Best regards,
Xanbanx
Impact
See above.
Edited by GitLab SecurityBot