Page MenuHomePhabricator
Create Task
Maniphest T382230

CI token credentials exposed by public git config
Closed, ResolvedPublicSecurity
Actions

Description

From security@wikimedia.org

https://design.wikimedia.org/.git/config
https://design.wikimedia.org/style-guide/.git/config
https://design.wikimedia.org/strategy/.git/config

exposes the temporary gitlab job token. We should prevent .git directories to be public in microsites.

The repository is https://gitlab.wikimedia.org/repos/sre/miscweb/design-landing-page , the image definition does:

copies:
  - from: local
    source: ./.
    destination: ./html/

Thus copying the .git directory`. The Apache <VirtualHost> has a deny rule:

<Directory /srv/org/wikimedia/.git>
    Require all denied
</Directory>

But within Blubber, the files are copied under /srv/app by default and the path is /srv/app/html/.git.

The image is docker-registry.wikimedia.org/repos/sre/miscweb/design-landing-page:2024-01-17-103642

Details

Risk Rating
High
Author Affiliation
WMF Technology
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
miscweb: bump all design image versionsoperations/deployment-chartsmaster+3 -3
miscweb: bump design-landing-page version for .git folder fixoperations/deployment-chartsmaster+1 -1
Customize query in gerrit
Related Changes in GitLab:
TitleReferenceAuthorSource BranchDest Branch
Remove and restrict config files from image buildrepos/sre/miscweb/design-landing-page!6danirm-config-on-prodmaster
exclude .git folder from image buildrepos/sre/miscweb/wikiworkshop!25jeltodockerignoremaster
exclude .git folder from image buildrepos/sre/miscweb/research-landing-page!39jeltodockerignoremaster
exclude .git folder from image buildrepos/sre/miscweb/security-landing-page!10jeltodockerignoremaster
exclude .git folder from image buildsrepos/sre/miscweb/transparencyreport!3jeltodockerignoremaster
Exclude .git folder from image buildrepos/sre/miscweb/design-landing-page!5dancymaster-Ie696ae656e751ece109a460a28d251a7a0150852master
remove .git folder from image buildrepos/sre/miscweb/design-strategy!11jeltoclean-git-foldermaster
remove .git folder from image buildrepos/sre/miscweb/design-landing-page!4jeltoclean-git-foldermaster
Customize query in GitLab

Event Timeline

Joe created this task.Dec 16 2024, 9:03 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 16 2024, 9:03 AM
Joe triaged this task as Unbreak Now! priority.Dec 16 2024, 9:03 AM
Joe added projects: Release-Engineering-Team, collaboration-services.
Joe added a comment.Dec 16 2024, 9:25 AM

Similar issue here:

https://design.wikimedia.org/style-guide/.git/config

I think we can fix it by adding to the miscweb chart a file to add under /etc/apache2/conf-enabled/git-deny.conf as a subPath volumemount from a configmap that contains

<DirectoryMatch /\.git>
  Require all denied
</DirectoryMatch>
Jelto subscribed.Dec 16 2024, 9:31 AM

Thanks for raising this issue. I think it makes sense to block that folder in apache. However we should avoid putting this file in the container image at all by fixing the blubber config. Because even if we are blocking the path in apache, you could just pull the image and extract the token locally.

I'm currently trying the find the correct way to revoke that token, which is not obvious.

A first test using this token returns a 404, which is the default behavior for unauthorized requests according to the docs

Jelto claimed this task.Dec 16 2024, 9:31 AM
hashar removed Jelto as the assignee of this task.Dec 16 2024, 9:32 AM
hashar updated the task description. (Show Details)
hashar updated the task description. (Show Details)
hashar updated the task description. (Show Details)Dec 16 2024, 9:37 AM
Aklapper assigned this task to Jelto.Dec 16 2024, 9:45 AM
Jelto added a comment.Dec 16 2024, 9:52 AM

I tried to use the token but I get Access denied:

remote: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See https://gitlab.wikimedia.org/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied
fatal: Authentication failed for 'https://gitlab.wikimedia.org/repos/sre/miscweb/design-landing-page.git/'

Also when I try to use the token in API I get a 404:

curl --request POST --form "token=$CI_JOB_TOKEN" --form ref=master "https://gitlab.wikimedia.org/api/v4/projects/1933/trigger/pipeline"
{"message":"404 Not Found"}j

I'm still trying to find the token in the GitLab API to properly revoke it/verify it's expired/revoked

Jelto added subscribers: dancy, brennen.Dec 16 2024, 10:53 AM

I was not able to find the linked API key in GitLab. Unfortunately the Token information API is not available in 17.4 (our version) and needs at least 17.5.

However I'm pretty sure the token included above is a "GitLab CI/CD job token": see https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html

The job tokens are "valid only while the job is running. After the job finishes, the token access is revoked and you cannot use the token anymore", see docs.
That's also the reason why I can't find anything about the token in GitLab and can't use it anymore.

I'll prepare a MR which excludes .git from the blubber pipeline in all miscweb images and a fix for the apache config.

@dancy @brennen is it necessary for kokurri to persist the token to the git config? This issue might happen again for other projects and I'm wondering if it's possible to prevent that on kokurri level.

Jelto added a comment.Dec 16 2024, 11:54 AM

I opened https://gitlab.wikimedia.org/repos/sre/miscweb/design-landing-page/-/merge_requests/4 which uses a dedicated builder variant to remove the .git folder and to fix the apache config.

Jelto lowered the priority of this task from Unbreak Now! to High.Dec 16 2024, 1:32 PM

A fix was deployed which removed the .git folder from design.wikimedia.org.

I'll also check the other miscweb sites for similar issues. @Joe I'll lower the priority because this issue should be fixed in the next hours (when the updated version is also in cache) and the tokens are all expired/revoked already.

However I'll set the priority to high until the other miscweb services and potentially all other kokurri builds are reviewed.

thcipriani added subscribers: dduvall, thcipriani.Dec 16 2024, 2:21 PM

For clarity, as you noticed: these tokens are useless by the time the image is published. I wonder if the presence in the .git dir is gitlab's doing vs kokkuri's? @dancy or @dduvall would know for sure.

Jelto added a comment.Dec 16 2024, 2:53 PM

Fixes for the remaining two design miscweb sites:

https://gitlab.wikimedia.org/repos/sre/miscweb/design-strategy/-/merge_requests/11
https://gitlab.wikimedia.org/repos/sre/miscweb/design-style-guide/-/merge_requests/5

Fixing the leaked git config here:
https://design.wikimedia.org/style-guide/.git/config
https://design.wikimedia.org/strategy/.git/config

The other miscweb services are not affected because they do not use source: ./.

Jelto updated the task description. (Show Details)Dec 16 2024, 2:54 PM
sbassett added a project: Vuln-Infoleak.Dec 16 2024, 3:59 PM
LSobanski moved this task from Incoming to Work in Progress on the collaboration-services board.Dec 16 2024, 4:37 PM
dancy updated the task description. (Show Details)Dec 16 2024, 4:50 PM
dancy added a comment.Dec 16 2024, 4:55 PM
In T382230#10406193, @thcipriani wrote:

For clarity, as you noticed: these tokens are useless by the time the image is published. I wonder if the presence in the .git dir is gitlab's doing vs kokkuri's? @dancy or @dduvall would know for sure.

Gitlab-CI performs the clone of the repository. It runs git clone https://gitlab-ci-token:thetempjobtoken@gitlab.wikimedia.org/<repo-path>.git. Git always stores the repo URL in .git/config.

dancy added a comment.Dec 16 2024, 5:10 PM

@Jelto I opened https://gitlab.wikimedia.org/repos/sre/miscweb/design-landing-page/-/merge_requests/5 with a simpler approach.

sbassett changed the task status from Open to In Progress.Dec 16 2024, 5:24 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.
sbassett added a project: SecTeam-Processed.
sbassett subscribed.

Thanks all for addressing this so quickly!

Jelto added a comment.Dec 17 2024, 9:39 AM
In T382230#10406800, @dancy wrote:

@Jelto I opened https://gitlab.wikimedia.org/repos/sre/miscweb/design-landing-page/-/merge_requests/5 with a simpler approach.

Thanks @dancy, this looks much cleaner! I wasn't aware that Blubber recognizes the .dockerignore file.

I've also updated the MRs in https://gitlab.wikimedia.org/repos/sre/miscweb/design-strategy/-/merge_requests/11 and https://gitlab.wikimedia.org/repos/sre/miscweb/design-style-guide/-/merge_requests/5.

https://design.wikimedia.org/.git/config returns a 404 for me, design-strategy and design-style-guide need a few more hours I guess.

curl -I https://design.wikimedia.org/.git/config
HTTP/2 404 
date: Tue, 17 Dec 2024 09:32:07 GMT
server: istio-envoy
content-length: 282
content-type: text/html; charset=iso-8859-1
age: 364
x-cache: cp3071 miss, cp3071 hit/2
x-cache-status: hit-front

Just to be sure I'll add a similar .dockerignore to the other miscweb image repos as well.

sbassett added subscribers: CodeReviewBot, gerritbot.Dec 17 2024, 3:38 PM
Jelto added a comment.Dec 17 2024, 3:40 PM

I added .dockerignore files to all miscweb projects.

For design-strategy and design-style-guide, the Git config is still cached. Once the files are out of cache, I'll resolve this task.

CodeReviewBot added a project: Patch-For-Review.Dec 17 2024, 7:01 PM

dani opened https://gitlab.wikimedia.org/repos/sre/miscweb/design-landing-page/-/merge_requests/6

Remove and restrict config files from image build

Jelto added a subscriber: DDeSouza.Dec 18 2024, 8:33 AM
Jelto closed this task as Resolved.Dec 18 2024, 3:00 PM

The .git folder was removed from all design miscweb sites and container images. For the other miscweb sites a similar .dockerignore was added as a precaution.

https://design.wikimedia.org/.git/config
https://design.wikimedia.org/style-guide/.git/config
https://design.wikimedia.org/strategy/.git/config

All return a 404 for me so the issue is fixed. I'll resolve the task. @dancy thanks for the quick help!

CodeReviewBot added a comment.Dec 19 2024, 4:53 PM

dani merged https://gitlab.wikimedia.org/repos/sre/miscweb/design-landing-page/-/merge_requests/6

Remove and restrict config files from image build

CodeReviewBot added a comment.Dec 19 2024, 4:56 PM

dani merged https://gitlab.wikimedia.org/repos/sre/miscweb/research-landing-page/-/merge_requests/39

exclude .git folder from image build

CodeReviewBot added a comment.Dec 19 2024, 5:00 PM

dani merged https://gitlab.wikimedia.org/repos/sre/miscweb/wikiworkshop/-/merge_requests/25

exclude .git folder from image build

sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Jan 6 2025, 5:21 PM
sbassett removed a project: Patch-For-Review.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to High.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits