Fix GL Runner Exploit to skip credential validation in dry-run mode (#468)

Copilot · web-flow · commit 5e2075dc5682 · 2025-12-24T16:46:45.000+01:00
* Fix GL Runner Exploit flag validation for dry-run mode
diff --git a/internal/cmd/gitlab/runners/exploit/exploit.go b/internal/cmd/gitlab/runners/exploit/exploit.go
@@ -22,18 +22,17 @@ func NewRunnersExploitCmd() *cobra.Command {
 # Creates a project with jobs for all available runners with the tags docker, shared. Dumps the envs encrypted using Age and starts an interactive SSHX shell,
 pipeleek gl runners exploit --token glpat-xxxxxxxxxxx --gitlab https://gitlab.mydomain.com --tags docker,shared --age-public-key age1... --repo-name my-exploit-repo --dry=false --shell=true
 
-# Print the generated .gitlab-ci.yml only, does NOT create a project or jobs
-pipeleek gl runners exploit --token glpat-xxxxxxxxxxx --gitlab https://gitlab.mydomain.com --dry=true --shell=true
+# Print the generated .gitlab-ci.yml only, does NOT create a project or jobs (gitlab and token flags not required)
+pipeleek gl runners exploit --dry=true --shell=true
  		`,
 		Run: func(cmd *cobra.Command, args []string) {
-			if err := config.BindCommandFlags(cmd, "gitlab.runners.exploit", nil); err != nil {
+			if err := config.BindCommandFlags(cmd, "gitlab.runners.exploit", map[string]string{
+				"gitlab": "gitlab.url",
+				"token":  "gitlab.token",
+			}); err != nil {
 				log.Fatal().Err(err).Msg("Failed to bind flags to config")
 			}
 
-			// Get gitlab URL and token from parent's vars (set by parent PersistentPreRun)
-			gitlabUrl, _ := cmd.Flags().GetString("gitlab")
-			gitlabApiToken, _ := cmd.Flags().GetString("token")
-
 			// Get values from config (supports CLI flags, config file, and env vars)
 			if !cmd.Flags().Changed("tags") {
 				runnerTags = config.GetStringSlice("gitlab.runners.exploit.tags")
@@ -51,7 +50,28 @@ pipeleek gl runners exploit --token glpat-xxxxxxxxxxx --gitlab https://gitlab.my
 				shell = config.GetBool("gitlab.runners.exploit.shell")
 			}
 
-			pkgrunners.ExploitRunners(runnerTags, dry, shell, gitlabApiToken, gitlabUrl, ageEncryptionPublicKey, repoName)
+			// Only require gitlab URL and token when not in dry-run mode
+			if !dry {
+				if err := config.RequireConfigKeys("gitlab.url", "gitlab.token"); err != nil {
+					log.Fatal().Err(err).Msg("Missing required configuration")
+				}
+
+				gitlabUrl := config.GetString("gitlab.url")
+				gitlabApiToken := config.GetString("gitlab.token")
+
+				if err := config.ValidateURL(gitlabUrl, "GitLab URL"); err != nil {
+					log.Fatal().Err(err).Msg("Invalid GitLab URL")
+				}
+				if err := config.ValidateToken(gitlabApiToken, "GitLab API Token"); err != nil {
+					log.Fatal().Err(err).Msg("Invalid GitLab API Token")
+				}
+
+				pkgrunners.ExploitRunners(runnerTags, dry, shell, gitlabApiToken, gitlabUrl, ageEncryptionPublicKey, repoName)
+			} else {
+				// In dry-run mode, we don't need gitlab URL and token
+				pkgrunners.ExploitRunners(runnerTags, dry, shell, "", "", ageEncryptionPublicKey, repoName)
+			}
+
 			log.Info().Msg("Done, Bye Bye 🏳️‍🌈🔥")
 		},
 	}
diff --git a/tests/e2e/gitlab/runners/runners_test.go b/tests/e2e/gitlab/runners/runners_test.go
@@ -26,6 +26,16 @@ func setupMockGitLabRunnersAPI(t *testing.T) string {
 		w.Write([]byte(`[{"id":123,"name":"test-project"}]`))
 	})
 
+	// Repository files endpoint for creating .gitlab-ci.yml
+	mux.HandleFunc("/api/v4/projects/999/repository/files/.gitlab-ci.yml", func(w http.ResponseWriter, r *http.Request) {
+		if r.Method == http.MethodPost {
+			w.WriteHeader(http.StatusCreated)
+			w.Write([]byte(`{"file_path":".gitlab-ci.yml","branch":"main"}`))
+			return
+		}
+		w.WriteHeader(http.StatusOK)
+	})
+
 	// Project runners endpoint
 	mux.HandleFunc("/api/v4/projects/123/runners", func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -105,7 +115,7 @@ func TestGLRunnersExploit_DryRun(t *testing.T) {
 		"--gitlab", apiURL,
 		"--token", "mock-token",
 		"--tags", "docker,shell",
-		"--dry", "true",
+		"--dry=true",
 	}, nil, 10*time.Second)
 
 	assert.Nil(t, exitErr, "Runners exploit dry run should succeed")
@@ -114,6 +124,33 @@ func TestGLRunnersExploit_DryRun(t *testing.T) {
 	assert.NotContains(t, stderr, "fatal")
 }
 
+func TestGLRunnersExploit_DryRun_WithoutTokenAndGitlab(t *testing.T) {
+	stdout, stderr, exitErr := testutil.RunCLI(t, []string{
+		"gl", "runners", "exploit",
+		"--dry=true",
+		"--tags", "docker,shell",
+	}, nil, 10*time.Second)
+
+	assert.Nil(t, exitErr, "Runners exploit dry run should succeed without token and gitlab flags")
+	assert.Contains(t, stdout, ".gitlab-ci.yml", "Should show CI/CD YAML output")
+	assert.Contains(t, stdout, "docker", "Should include docker tag in YAML")
+	assert.NotContains(t, stderr, "fatal")
+}
+
+func TestGLRunnersExploit_NonDryRun_WithoutTokenAndGitlab(t *testing.T) {
+	stdout, stderr, exitErr := testutil.RunCLI(t, []string{
+		"gl", "runners", "exploit",
+		"--dry=false",
+	}, nil, 10*time.Second)
+
+	assert.NotNil(t, exitErr, "Should fail without token and gitlab flags when not in dry-run mode")
+	output := stdout + stderr
+	assert.Contains(t, output, "required configuration missing", "Should mention missing required configuration")
+	assert.Contains(t, output, "gitlab.url", "Should mention gitlab.url is missing")
+	assert.Contains(t, output, "gitlab.token", "Should mention gitlab.token is missing")
+}
+
+
 func TestGLRunnersExploit_WithRepoCreation(t *testing.T) {
 	apiURL := setupMockGitLabRunnersAPI(t)
 	stdout, stderr, exitErr := testutil.RunCLI(t, []string{
@@ -122,8 +159,8 @@ func TestGLRunnersExploit_WithRepoCreation(t *testing.T) {
 		"--token", "mock-token",
 		"--tags", "docker",
 		"--repo-name", "test-exploit-repo",
-		"--dry", "false",
-		"--shell", "false",
+		"--dry=false",
+		"--shell=false",
 	}, nil, 15*time.Second)
 
 	assert.Nil(t, exitErr, "Runners exploit should succeed")
@@ -140,13 +177,15 @@ func TestGLRunnersExploit_Unauthorized(t *testing.T) {
 	server := httptest.NewServer(mux)
 	defer server.Close()
 
-	stdout, _, _ := testutil.RunCLI(t, []string{
+	stdout, stderr, exitErr := testutil.RunCLI(t, []string{
 		"gl", "runners", "exploit",
 		"--gitlab", server.URL,
 		"--token", "invalid-token",
-		"--dry", "false",
+		"--dry=false",
 	}, nil, 10*time.Second)
 
-	// Exploit command generates YAML in dry mode regardless
-	assert.Contains(t, stdout, "Done, Bye Bye", "Should complete with generated YAML")
+	// Should fail with unauthorized error when creating project
+	assert.NotNil(t, exitErr, "Should fail with unauthorized error")
+	output := stdout + stderr
+	assert.Contains(t, output, "401", "Should mention 401 error")
 }
