Amazon EKS credentials leaked via HTML source code
HackerOne report #784130 by xanbanx
on 2020-01-27, assigned to @cmaxim:
Hi GitLab Security Team,
Summary
I found a vulnerability where the Amazon EKS cluster is transmitted in plaintext to the GitLab frontend, where it is masked. However, this leaves the actual Amazon credentials being stored in the HTML source code of the page. A malicious admin user can simply copy those credentials and when he is removed from the GitLab instance he still has full Amazon access. Furthermore, an XSS vulnerability can simply readout the HTML page and thus steal the Amazon credentials.
Steps to reproduce
- As an admin go to `https://example.gitlab.com/admin/application_settings/integrations
- In the Amazon EKS section enter a fake account ID, access key id, and secret access key. Use
my-secret-access-key
for the secret access key and save the changes - You see that the secret access key is masked.
- Now open the source of the website and inspect the secret access key form
- You well see HTML code similar to the one below:
<input value="my-secret-access-key" class="form-control" type="password" name="application_setting[eks_secret_access_key]" id="application_setting_eks_secret_access_key">
You notice that the value is set to my-secret-access-key
although the value is masked in the UI.
Impact
The Amazon EKS credentials are leaked in the HTML source code. This vulnerability has a twofold impact:
- Any other admin can simply copy the credentials. If the admin is removed from the GitLab instance, this user still has full access to the Amazon account via the previously copied credentials.
- An XSS vulnerability can simply steal the Amazon credentials
What is the current bug behavior?
The Amazon EKS credentials are transmitted in plaintext to the frontend and then are masked there, leaving them in plain in the HTML source code.
What is the expected correct behavior?
Do not transmit the Amazon EKS credentials to the frontend. Just transmit a dummy masked value, e.g., *******
.
Output of checks
(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)
Results of GitLab environment info
System information
System: Ubuntu 16.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.6.5p114
Gem Version: 2.7.10
Bundler Version:1.17.3
Rake Version: 12.3.3
Redis Version: 5.0.7
Git Version: 2.24.1
Sidekiq Version:5.2.7
Go Version: go1.6.2 linux/amd64
GitLab information
Version: 12.7.0-pre
Revision: 3aac4140d99
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 10.9
URL: https://example.gitlab.com
HTTP Clone URL: https://example.gitlab.com/some-group/some-project.git
SSH Clone URL: git@example.gitlab.com:some-group/some-project.git
Elasticsearch: no
Geo: yes
Geo node: Primary
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 11.0.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Best regards,
Xanbanx
Impact
See above.