API exposes comment field of user uploaded SSH keys

HackerOne report #473439 by dcsec on 2018-12-31:

Summary

The Gitlab API exposes the comment field of user's public SSH keys

Description

The specification seems to state that this should not happen. The commit that made the changes to the specification also seems to suggest this is not intentional.

Key comments are not disclosed when accessing a users keys via the web interface. Example below (cut for brevity):

$ curl https://gitlab.com/dsadnasdsandajn.keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAIQC8HSa4ekYekN0hAgxlEBHMcGvoKw0n22Qf+ZWAfVHfnw== dsadnasdsandajn (gitlab.com)

Apart from being unintentional, it's likely that in some cases this could leak sensitive information to an attacker (system usernames, internal host names, an accidentally pasted password if we are really unlucky/lucky).

Github doesn't publish the comment field.

Steps To Reproduce

1. List a users public SSH keys via the API. Example below (output cut for brevity):

$ curl https://gitlab.com/api/v4/users/3137456/keys/
[{"id":2936115,"title":"example-comment-exposure","key":"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA4SU05weyscjB1OWy7GBGRIH7OpJycoJ/9jKo16TFfgL+mUe1+aTOddEaKj6+YrcW3g0ONNWGfL9j7nu4LvW0vNk2hD6ghb2B357fK3pe/AUdeOEUN3qH2nEj00UUhLUSQ5hXxVr6Spb9XTkpQOTO9q+U7vfJyHxS8FRredMeETU= example-comment-exposure","created_at":"2018-12-31T00:07:05.812Z"}]

The key comment field is listed directly inside the title property and also the at the end of the key property.

Impact

Apart from being unintentional, it's likely that in some cases this could leak sensitive information to an attacker (system usernames, internal host names, an accidentally pasted password if we are really unlucky/lucky).