SCIM token is still Viewable After Creation
HackerOne report #565884 by ngalog on 2019-05-04, assigned to hackerjuan:
Summary
SCIM token of the group should be hidden once it's reset/create. But I found one endpoint is disclosing it's value.
Steps to reproduce
- As the admin of the group, issue below request with your gold sub group, with SCIM enabled
GET /groups/REPLACE_ME_GROUP_PATH/-/scim_oauth HTTP/1.1
Host: gitlab.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: REPLACEME
X-Requested-With: XMLHttpRequest
Connection: close
Upgrade-Insecure-Requests: 1
Impact
SCIM is still viewable after generation/reset
Attachments
Warning: Attachments received through HackerOne, please exercise caution!