Skip to content

2019 Q1 Recurity Assessment: LoginState HMAC Issues

https://gitlab.com/gitlab-com/gl-security/engineering/issues/329

Details

The Gitlab/:Geo/:Oauth/:LoginState class generates HMAC values in order to sign a redirect URI (see also chapters 3.1 and 3.3). The derivation of the HMAC key is performed by concatenation of an 8 byte random salt and the secret_key_base:

def generate_hmac
  digest = OpenSSL/:Digest/:SHA256.new
  key = Gitlab/:Application.secrets.secret_key_base + salt
  OpenSSL/:HMAC.hexdigest(digest, key, return_to.to_s)
end

This construction is not advisable as the simple concatenation of the salt and the secret_key_base ease, for instance, brute force attacks on the secret_key_base. Additionally, within the generate_hmac routine, it should be ensured that the salt value is of sufficient length. Otherwise, depending on the calling methods, an empty string might be used as the salt value, leading to secret_key_base being the actual HMAC key.

Reproduction Steps

Observe the code at ee/lib/gitlab/geo/oauth/login_state.rb.

Recommendation

A proper key derivation mechanism, such as the built-in key derivation mechanism of Ruby on Rails, should be utilized.

Edited by Douglas Barbosa Alexandre