Forbid trigger pipeline requests with Gitlab-Event header

We ban the requests with the custom HTTP header, X-Gitlab-Event, on the pipeline trigger endpoint, as this should never be an acceptable situation.

Forbid trigger pipeline requests with Gitlab-Event header
We ban the requests with the custom HTTP header, X-Gitlab-Event, on the pipeline trigger endpoint, as this should never be an acceptable situation.
4d1d66ca · Marius Bobin · 253a09fc · 4d1d66ca · 4d1d66ca · 4d1d66ca
Commit 4d1d66ca authored Feb 13, 2020 by Marius Bobin
4 changed files
--- a/app/services/web_hook_service.rb
+++ b/app/services/web_hook_service.rb
@@ -13,8 +13,14 @@ class WebHookService
    end
  end

+  GITLAB_EVENT_HEADER = 'X-Gitlab-Event'
+
  attr_accessor :hook, :data, :hook_name, :request_options

+  def self.hook_to_event(hook_name)
+    hook_name.to_s.singularize.titleize
+  end
+
  def initialize(hook, data, hook_name)
    @hook = hook
    @data = data
@@ -112,7 +118,7 @@ class WebHookService
    @headers ||= begin
      {
        'Content-Type' => 'application/json',
-        'X-Gitlab-Event' => hook_name.singularize.titleize
+        GITLAB_EVENT_HEADER => self.class.hook_to_event(hook_name)
      }.tap do |hash|
        hash['X-Gitlab-Token'] = Gitlab::Utils.remove_line_breaks(hook.token) if hook.token.present?
      end

--- a/changelogs/unreleased/security-disable-pipeline-webhook-recursion.yml
+++ b/changelogs/unreleased/security-disable-pipeline-webhook-recursion.yml
+---
+title: Protect against denial of service using pipeline webhook recursion
+merge_request:
+author:
+type: security
--- a/lib/api/triggers.rb
+++ b/lib/api/triggers.rb
@@ -4,6 +4,8 @@ module API
  class Triggers < Grape::API
    include PaginationParams

+    HTTP_GITLAB_EVENT_HEADER = "HTTP_#{WebHookService::GITLAB_EVENT_HEADER}".underscore.upcase
+
    params do
      requires :id, type: String, desc: 'The ID of a project'
    end
@@ -19,6 +21,8 @@ module API
      post ":id/(ref/:ref/)trigger/pipeline", requirements: { ref: /.+/ } do
        Gitlab::QueryLimiting.whitelist('https://gitlab.com/gitlab-org/gitlab-foss/issues/42283')

+        forbidden! if gitlab_pipeline_hook_request?
+
        # validate variables
        params[:variables] = params[:variables].to_h
        unless params[:variables].all? { |key, value| key.is_a?(String) && value.is_a?(String) }
@@ -128,5 +132,11 @@ module API
        destroy_conditionally!(trigger)
      end
    end
+
+    helpers do
+      def gitlab_pipeline_hook_request?
+        request.get_header(HTTP_GITLAB_EVENT_HEADER) == WebHookService.hook_to_event(:pipeline_hooks)
+      end
+    end
  end
 end
--- a/spec/requests/api/triggers_spec.rb
+++ b/spec/requests/api/triggers_spec.rb
@@ -116,6 +116,18 @@ describe API::Triggers do
        end
      end
    end
+
+    context 'when is triggered by a pipeline hook' do
+      it 'does not create a new pipeline' do
+        expect do
+          post api("/projects/#{project.id}/ref/master/trigger/pipeline?token=#{trigger_token}"),
+            params: { ref: 'refs/heads/other-branch' },
+            headers: { WebHookService::GITLAB_EVENT_HEADER => 'Pipeline Hook' }
+        end.not_to change(Ci::Pipeline, :count)
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+    end
  end

  describe 'GET /projects/:id/triggers' do