Admin Page's AWS Secret Key is Shown in Plain Text

HackerOne report #631207 by ngalog on 2019-06-28, assigned to dappelt:

Summary

Normally, gitlab's way of handling private token/password/sensitive informations are consistent, i.e. only shown once and you will never be able to see it again afterwards.

I found that the Elasticsearch AWS secret key in not implemented in the same way. In https://:gitlabinstance/admin/application_settings/integrations, after admin saving the aws secret key, when other admins revisit the same page, the secret key is shown as •••••••••. I suppose the intention is to hide this value from other admins.

However I found that if you view the source code of this page, the secret key is actually stored in plaintext.

Steps to reproduce

• As an admin, visit https://:gitlab/admin/application_settings/integrations to save a dummy aws secret key and access key
• As another admin, visit https://:gitlab/admin/application_settings/integrations and click click view source, search for application_setting_elasticsearch_aws_secret_access_key
• And you will find your aws secret key is in <input value="YOUR_AWS_SECRET_KEY">

Impact

AWS secret key is saved and shown in plain text to other admins

Output of checks

This should be happening in gitlab.com as well

Results of GitLab environment info

Reproduced on 12.0.2-ee (ef76b54f)

Impact

.