diff --git a/e2e/gitlab.go b/e2e/gitlab.go index 140bbcd5..a0238ceb 100644 --- a/e2e/gitlab.go +++ b/e2e/gitlab.go @@ -69,4 +69,9 @@ var testCasesGitLab = []testCase{ path: "data.member.two_factor_authentication_is_disabled_for_an_external_collaborator", skippedEntity: "legitify-test", }, + { + path: "data.repository.overriding_defined_variables_isnt_restricted", + failedEntity: "failed_repo", + passedEntity: "passed_repo", + }, } diff --git a/policies/gitlab/repository.rego b/policies/gitlab/repository.rego index 6b6aa5ab..1087c007 100644 --- a/policies/gitlab/repository.rego +++ b/policies/gitlab/repository.rego @@ -344,3 +344,22 @@ default repository_dismiss_stale_reviews := true repository_dismiss_stale_reviews := false { input.approval_configuration.reset_approvals_on_push } + +# METADATA +# scope: rule +# title: The ability to override predefined variables should be limited only to users with at least Maintainer role. +# description: It’s recommended to restrict users with low privileges from overriding predefined variables, as doing so could compromise the security and integrity of the CI/CD pipeline. +# custom: +# remediationSteps: +# - 1. Make sure you have owner or maintainer permissions +# - 2. The remediation is available through the project's API (e.g., 'https://gitlab.com/api/v4/projects/') +# - 3. Set the 'restrict_user_defined_variables' attribute to TRUE (this attribute is FALSE by default) +# - 4. When 'restrict_user_defined_variables' is enabled, you can specify which role can override variables. This is done by setting the 'ci_pipeline_variables_minimum_override_role' attribute to one of: owner, maintainer, developer or no_one_allowed. +# - 5. For more information, you can check out gitlab's API documentation: https://docs.gitlab.com/ee/api/projects.html +# severity: LOW +# threat: Allowing overrides of predefined variables can result in unintentional misconfigurations of the CI/CD pipeline or deliberate tampering. +default overriding_defined_variables_isnt_restricted := true + +overriding_defined_variables_isnt_restricted := false { + input.restrict_user_defined_variables +} \ No newline at end of file diff --git a/test/repository_test.go b/test/repository_test.go index 2c239349..67bea8f4 100644 --- a/test/repository_test.go +++ b/test/repository_test.go @@ -751,3 +751,20 @@ func TestGitlabRepositoryDismissStaleReviews(t *testing.T) { repositoryTestTemplate(t, name, makeMockData(flag), testedPolicyName, expectFailure, scm_type.GitLab) } } + +func TestGitlabRepositoryRestrictsOverrideVariables(t *testing.T) { + name := "Restrict Override Of Defined Variables" + testedPolicyName := "overriding_defined_variables_isnt_restricted" + + makeMockData := func(flag bool) gitlabcollected.Repository { + return gitlabcollected.Repository{Project: &gitlab2.Project{RestrictUserDefinedVariables: flag}} + } + options := map[bool]bool{ + false: true, + true: false, + } + for _, expectFailure := range bools { + flag := options[expectFailure] + repositoryTestTemplate(t, name, makeMockData(flag), testedPolicyName, expectFailure, scm_type.GitLab) + } +}