CI/CD settings from API should only be viewed by maintainers
log in as a user who is a developer in project 6 make a request against project 6's show endpoint.
curl --request GET "http://127.0.0.1:3000/api/v4/projects/6"
You will see multiple ci cd settings fields. Part of the payload as an example:
"ci_allow_fork_pipelines_to_run_in_parent_project" : true,
"ci_config_path" : null,
"ci_default_git_depth" : 20,
"ci_forward_deployment_enabled" : true,
"ci_job_token_scope_enabled" : false,
the fields that are in the project_ci_cd_settings table that are exposed include:
ci_allow_fork_pipelines_to_run_in_parent_project,
ci_config_path,
ci_default_git_depth,
ci_forward_deployment_enabled,
ci_job_token_scope_enabled,
keep_latest_artifact,
restrict_user_defined_variables,
ci_job_token_scope_enabled,
runner_token_expiration_interval,
ci_separated_caches,
ci_opt_in_jwt,
ci_allow_fork_pipelines_to_run_in_parent_project
There are additional ci/cd setting fields in the project table. For instance(not comprehensive list):
auto_cancel_pending_pipelines
auto_devops_enabled
Manage CI/CD settings
is documented as maintainer and up. https://docs.gitlab.com/ee/user/permissions.html
Is this a vulnerability or should we document that reading ci/cd settings does not require maintainer permissions?
I don't see separate permissions documented for View CI/CD settings
and I can't view the settings in the UI as a developer.
Proposal
Update the permissions to match this table.
Access Method | Non-member | Guest | Reporter | Developer | Maintainer | Owner |
---|---|---|---|---|---|---|
UI | None | None | None | None | Read | Read |
Projects API REST | None | None | None | Read Change to No access. | Read | Read |
Query.project GraphQL | None | None | None | None | Yes | Yes |
Mutation.projectCiCdSettingsUpdate GraphQL | None | None | None | None | Yes | Yes |
Update the entity Entities::Project
for all ci attributes/fields that require maintainer permission to access.
Since we have the current_user
we can append Ability.allowed?(options[:current_user], :admin_project, project)
to the attribute to have it conditionally return