Prevent information leak in rules:exists:project (!176717) · Merge requests · GitLab.org / GitLab

Manuel Grabowski requested to merge mg-fix-information-leak-exists-20241231 into master Dec 31, 2024

What does this MR do and why?

Different error messages for "does not exist" and "do not have access" allows enumerating valid project paths. This came up during review of Unmask valid project path in rules:exists errors (!159647 - closed), see this discussion (internal).

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

!159647 (comment 2252290568)

How to set up and validate locally

Create two projects proj1 and proj2 with private visibility

Add .gitlab-ci.yml in proj1:

# Comment to edit later
force-job:
  script: exit 0

job:
  script: exit 0
  rules:
    - exists:
        paths: [somefile.txt]
        project: path/to/proj2
        ref: main

Add a user as Maintainer to proj1, but not to proj2
As that user, go to Pipeline Editor in proj1, edit the comment and commit to trigger a pipeline
- Observe the error message
Add the user to proj2 with Developer or above
As that user, go to Pipeline Editor in proj1, edit project: to an invalid path
- Observe the error message

Without these changes, the error messages differ and confirm that path/to/proj2 is valid. With the changes, it's the same message.

Prevent information leak in rules:exists:project

What does this MR do and why?

References

How to set up and validate locally

Merge request reports