- "details": "### Summary\n\nThe Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled `serverURL` when the user omits the `token` parameter. A tenant with TaskRun or PipelineRun create permission can exfiltrate the shared API token (GitHub PAT, GitLab token, etc.) by pointing `serverURL` to an attacker-controlled endpoint.\n\n### Details\n\nThe git resolver's `ResolveAPIGit()` function in `pkg/resolution/resolver/git/resolver.go` constructs an SCM client using the user-supplied `serverURL` and a token obtained via `getAPIToken()`.\n\nWhen the user provides `serverURL` but omits the `token` parameter:\n\n1. `getSCMTypeAndServerURL()` reads `serverURL` directly from user params (`params[ServerURLParam]`) with no validation against the system-configured URL.\n\n2. `secretRef` is set to `nil` because the user did not provide a token parameter.\n\n3. `getAPIToken(ctx, nil, APISecretNameKey)` is called. It detects `apiSecret == nil`, creates a new `secretCacheKey`, and populates it from the system-configured secret (`conf.APISecretName` / `conf.APISecretNamespace` / `SYSTEM_NAMESPACE`).\n\n4. `clientFunc(scmType, serverURL, string(apiToken))` creates an SCM client pointed at the attacker-controlled URL with the system token. The SCM factory sets the token as an `Authorization` header on the HTTP client.\n\n5. All subsequent API calls (`Contents.Find`, `Git.FindCommit`) carry the system token to the attacker URL.\n\n### Impact\n\nThe system Git API token (GitHub PAT, GitLab token, etc.) is exfiltrated to an attacker-controlled endpoint. This token typically has read access to private repositories containing source code, secrets, and CI/CD configurations.\n\nThis follows the same threat model as GHSA-j5q5-j9gm-2w5c (published March 2026): a namespace-scoped tenant with permission to create TaskRuns exploits the git resolver to exfiltrate credentials. The prior advisory involved reading the resolver pod's ServiceAccount token via path traversal. This finding involves redirecting the system Git API token via `serverURL`.\n\n### Patches\n\n_(to be filled in after fix is merged and released)_\n\nThe fix validates that when `serverURL` is user-provided and differs from the system-configured server URL, the user must also provide their own `token` parameter. Using the system token with a non-system server URL is rejected.\n\n### Workarounds\n\n- **Do not configure a system-level API token** in the git resolver ConfigMap. Instead, require all users to provide their own tokens via the `token` parameter.\n- **Restrict TaskRun creation** — limit which users or ServiceAccounts can create TaskRuns and PipelineRuns that use the git resolver.\n- **Network egress policies** — apply `NetworkPolicy` to the `tekton-pipelines-resolvers` namespace to restrict outbound traffic to known-good Git servers only.\n\n### Affected Versions\n\nAll releases from **v1.0.0** through **v1.10.0**, including all patch releases. The API mode of the git resolver has been present since the resolver was introduced.\n\nReleases prior to v1.0.0 are not affected because the git resolver either did not exist or did not have API mode.\n\n### Acknowledgments\n\nThis vulnerability was reported by Koda Reef (@kodareef5), who provided a detailed analysis and proof-of-concept. Thank you!\n\n### References\n\n- Prior advisory: [GHSA-j5q5-j9gm-2w5c](https://github.com/tektoncd/pipeline/security/advisories/GHSA-j5q5-j9gm-2w5c)\n- Related: #9608 (deprecate `api-token-secret-namespace`)\n- Related: #9609 (SubjectAccessReview for resolver secrets)",
0 commit comments