Skip to content

Add check to export data script for variable type

Background

Wrong CI ENV variable type can lead to security breach incident like: https://gitlab.com/gitlab-sirt/incident_3555/-/issues/1#note_1368424305

It completes request from https://gitlab.com/gitlab-sirt/incident_3555/-/issues/1#note_1367754955 resolves https://gitlab.com/gitlab-org/analytics-section/product-intelligence/metrics-library/-/issues/1

Goal

Check variable type before it will be used for authentication that can cause data leaking.

Verification

Here is job log that run before correct safeguard was added https://gitlab.com/gitlab-org/gitlab-services/version.gitlab.com/-/jobs/4181930165

Screenshot_2023-04-26_at_13.47.46

And here is one that have run with safeguard https://gitlab.com/gitlab-org/gitlab-services/version.gitlab.com/-/jobs/4181969206

Screenshot_2023-04-26_at_13.48.59

And another with safe guard when correct variable type is set https://gitlab.com/gitlab-org/gitlab-services/version.gitlab.com/-/jobs/4182175231

Screenshot_2023-04-26_at_14.11.42

Final scenario where CI ENV variable (GOOGLE_PROJECT_ID) type is set to file when it should be variable. In that case it looks that variable content is not exposed https://gitlab.com/gitlab-org/gitlab-services/version.gitlab.com/-/jobs/4182783373

Screenshot_2023-04-26_at_15.29.40

You can trigger new jobs from https://gitlab.com/gitlab-org/gitlab-services/version.gitlab.com/-/pipeline_schedules/375132/edit to see it fail

or change env type of GCLOUD_SERVICE_KEY to file, and see type validation passing through

Edited by Mikołaj Wawrzyniak

Merge request reports

Loading