Webhook logs leak integration access tokens to other maintainers

HackerOne report #1557472 by joaxcar on 2022-05-03, assigned to @rshambhuni:

Report | Attachments | How To Reproduce

Report

Summary

The latest patch 14.10.1 added masking to sensitive input fields to prevent leakage of access tokens through the UI. This prompted me to look a bit closer to those integrations.

It turns out that the integration settings page contains a worse leakage of these tokens, and is still present after the latest patch.

When a maintainer/owner configures integrations that adds a webhook event to the project (such as CI/CD integrations like Buildkite and Drone) the user is prompted to add an URL to the integration and an access token. The access token field is write only (and as of 14.10.1 also a password field) and will not display the present integration setting. So after saving the integration the token field will be empty to not leak this token.

hiddentoken.jpg

The problem is that after saving and activating the integration, a list is displayed in the bottom of the screen where the webhook log is displayed. If any maintainer of the project click to view details on any of these log entries the user will be presented with a page displaying the call that was made. Including the secret tokens!

token.jpg

I will come back with a full list of affected integrations if needed. I have tested 4 which are affected at the moment

Steps to reproduce
  1. Create two users victim and attacker
  2. Log in as victim
  3. Create a new project and go to https://gitlab.com/GROUPNAME/PROJECTNAME/-/project_members
  4. Invite attacker as a maintainer to the project
  5. Go to https://gitlab.com/GROUPNAME/PROJECTNAME/-/integrations/drone_ci/edit
  6. fill in the url https://example.com (this does not matter) and the access token HIDDEN_TOKEN
  7. Click save
  8. Click Test settings, a test hook call will be made
  9. Refresh the page
  10. There will be a failed hook call in the logs. Click view details
  11. The page will display the access token in a <h1> title
  12. Copy the URL, log in with attacker and go to the same page
  13. Confirm that the attacker can see the token
Impact

Leakage of sensitive tokens to other maintainers. Potentially giving the attacker full access to external systems

What is the current bug behavior?

Webhook log details pages display full call URL containing secret tokens

What is the expected correct behavior?

Tokens should not be shown in the details page

Output of checks

This bug happens on GitLab.com

Impact

Leakage of sensitive tokens to other maintainers. Potentially giving the attacker full access to external systems

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: