- Source: GL_InstanceRole (Member)
- Destination: GL_User (Renovate bot user)
The traversable GL_RenovateInviteAndTakeover edge models the Renovate invite-and-takeover attack path. It is created by the enrichment phase when a vulnerable, self-hosted Renovate bot instance is detected on the GitLab instance.
Attack scenario: A Renovate bot configured with GitLab autodiscovery will automatically process any project that has a valid Renovate configuration file and has invited the Renovate bot user as a member. An authenticated instance member can:
- Create a new project (via
GL_CanCreateProject) - Add a
renovate.jsonthat triggers the self-hosted Renovate bot - Invite the Renovate bot user as a member of the project
- Wait for Renovate to accept the invitation, process the configuration and update the project's dependencies
- Exifiltrate the Renovate bot's access token and impersonate its privilege to access other projects it manages
The edge source is the Member instance role (representing any authenticated user) and the destination is the detected Renovate bot user. The presence of this edge indicates the instance is vulnerable to this escalation path.
graph LR
member("fa:fa-user-tie GL_InstanceRole Member")
attacker("fa:fa-user GL_User attacker")
renovate("fa:fa-robot GL_User renovate-bot")
attacker -->|GL_HasRole| member
member -->|GL_RenovateInviteAndTakeover| renovate