sentry auth token should be obscure which is currently visible to all project maintainers
HackerOne report #637252 by ashish_r_padelkar
on 2019-07-07, assigned to estrike
:
Summary
Hello,
The sentry auth token at /-/settings/operations
in Error tracking should be obscure as it is visible for other project maintainers.
Currently all the project maintainers can see the auth token directly which allows any maintainer to connect the sentry url repeatedly and fetch the sentry projects which they might
not have access otherwise.
Also, if maintainer is demoted/removed from project, they will still have access to auth token and can fetch the projects from sentry unless auth token is explicitly removed from sentry side.
The better approach would be to obscure the token and ask maintainers to input it every time they connect instead of saving it in the text box.
Steps to reproduce
- Maintainer1 puts the auth token of sentry at
/-/settings/operations
and fetches the projects and saves it. - Maintainer2 can see the auth token from
/-/settings/operations
and uses the same token to connect again and see the projects which they might not have access in sentry. - Maintainer2 is demoted to reporter role but still able to fetch the sentry projects unless auth token is removed from sentry side.
What is the current bug behavior?
Sentry auth token is visible for all maintainers
What is the expected correct behavior?
Auth token should be obscure and should be entered each time they connect to sentry
Output of checks
This bug happens on GitLab.com
Regards,
Ashish
Impact
Sentry Auth Token is visible to all maintainers of the projects