Skip to content

POST requests are appending the parameters to the URL.

The Retrofit POST requests in the GitLab interface appear to appending the request parameters to the URL using the @Query annotation. This becomes a security issue on login because the user's credentials are exposed in the URL, example log:

.../com.commit451.gitlab I/TimberRequestInterceptor﹕ Sending request https://gitlab.com/api/v3/session?login=***&password=***

Recommendation: Using application/x-www-form-urlencoded MIME type by modifying the service methods as follows:

	@FormUrlEncoded
	@POST(API_VERSION + "/session")
	Call<Session> getSessionByUsername(@Field("login") String login,
									   @Field("password") String password);

This ensures the user's credentials are not exposed in the URL.