ESCALATED: Github personal access tokens included in project exports

HackerOne report #697487 by xanbanx on 2019-09-18, assigned to @jritchey:

Hi GitLab Security Team,

Summary

GitLab allows to be used as an external CI/CD service for Github repos. When creating a new project, you can connect to a Github repo via a GitHub personal access token of one user. However, when exporting that project in GitLab, the personal access token is also included in the project export, which is pretty bad.

This means, everyone who can export the project also has access to the Github personal access token. And because the personal access token is not scoped to the Github project but to the user, anyone who is in possession of this personal access token can now access all current and futur Github projects of that user. For GitLab, this means any maintainer or above, who can export the project thus have also access to the personal access token.

Steps to reproduce

Tested on GitLab Enterprise Edition 12.3.0-pre 32dae283

  1. Create a new project. Chose CI/CD for external repo to import a project
  2. Chose Github under Connect repositories from
  3. Enter your personal access token from your GitHub account where you want to import the project from
  4. Select a project you want to import from Github.
  5. After importing the project, goto https://example.gitlab.com/wter23/test-import/edit and export the project
  6. Download the project archive, extract it, and inspect the containing project.json

You will find the Github personal access token in a section like this below:

"properties": {  
                "repository_url": "https://github.com/foobar/test",  
                "token": "48538ef7dc8f8ac12404877d2849fa24b7b0aed5",  
                "static_context": true  
              },

Note, this is a fake token for the report.

Anyone, who can export the project has now access to the Github personal access token and thus access to all associated projects of the user who created the personal access token.

Impact

Anyone, with at least Maintainer rights can export a project and thus get access of the personal access token used for the Github sync. This personal access token however is scoped to one particular GitHub user. So anyone who is in possession of this project now fully has access to all projects of the particular Github user, who created this personal access token in the first place.

What is the current bug behavior?

Project export contains Github personal access token.

What is the expected correct behavior?

Do not include the Github personal access token in the project export.

Output of checks

This bug happens on GitLab.com

Best regards,
Xanbanx

Impact

See above.

Edited by GitLab SecurityBot