Ability to list and delete impersonation tokens for your own user
HackerOne report #1205916 by jimeno
on 2021-05-22, assigned to @dcouture:
Report | Attachments | How To Reproduce
Report
Summary
GitLab official documentation says only and Administrator can create an Impersonation Token. Otherwise users could deny them the use of this feature by continuously checking their Personal Access Tokens via the API and then revoking the generated impersonation token.
Impersonation tokens are a type of personal access token. They can be created only by an administrator, and are used to authenticate with the API as a specific user.
Suggested fix: only an administrator should be able to revoke an impersonation token. Also, impersonation tokens should not be listable by the impersonated user itself. Also, user won't see the impersonation token when browsing to their list of tokens via the GitLab UI.
Note: This report falls under the premise that only administrators should be able to revoke impersonation tokens.
Steps to reproduce
This was tested on a GitLab Ultimate instance.
-
As Admin, browse to
/admin/users
, select your unprivileged user and click Impersonation Tokens section. -
Generate a new token scoped as you wish and note the name you set to it.
-
As user, browse to your profile and create a new Personal Access Token (PAT) scoped to API access at least.
-
As user, list your PATs.
$ curl --header "PRIVATE-TOKEN: YOUR-PAT" "https://YOUR-INSTANCE/api/v4/personal_access_tokens" -s | jq .
-
Note the response includes the impersonation token created by the administrator user. Take a note of the token identifier.
-
As user, revoke the impersonation token created by the administrator. Remember to replace the ID (6) with yours.
$ curl -X DELETE --header "PRIVATE-TOKEN: YOUR-PAT" "https://YOUR-INSTANCE/api/v4/personal_access_tokens/6"
Impact
Low privileged user is able to revoke impersonation token created by the instance administrator for their account. On the other hand, normal GitLab user is able to know when an administrator has created an impersonation token for their account.
Examples
N/A
What is the current bug behavior?
Low privileged user is able to revoke impersonation token created by the instance administrator for their account.
What is the expected correct behavior?
Only administrator user is able to revoke impersonation tokens. Impersonated user doesn't see the impersonation token when listing their Personal Access Tokens.
Relevant logs and/or screenshots
N/A
Output of checks
Only tested in GitLab Ultimate.
Results of GitLab environment info
root@rigel:/# gitlab-rake gitlab:env:info
System information
System:
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.2p137
Gem Version: 3.1.4
Bundler Version:2.1.4
Rake Version: 13.0.3
Redis Version: 6.0.12
Git Version: 2.31.1
Sidekiq Version:5.2.9
Go Version: unknown
GitLab information
Version: 13.12.0-ee
Revision: 12a3ec8fb4a
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 12.6
URL: https://rigel.wiki
HTTP Clone URL: https://rigel.wiki/some-group/some-project.git
SSH Clone URL: git@rigel.wiki:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers: auth0
GitLab Shell
Version: 13.18.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Git: /opt/gitlab/embedded/bin/git
Impact
Low privileged user is able to revoke impersonation token created by the instance administrator for their account. On the other hand, normal GitLab user is able to know when an administrator has created an impersonation token for their account.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: