Grafana token leaked in plain to other maintainers
dev.gitlab.org
development issue https://dev.gitlab.org/gitlab/gitlabhq/issues/2966
HackerOne report #737049 by xanbanx
on 2019-11-13, assigned to @jeremymatos:
Hi GitLab Security Team,
Summary
GitLab added Grafana support on project level. This means, the Grafana settings also can be configured on project level.
When going to the settings, the owner or maintainer of a project has to enter the Grafana URL and the Grafana API token.
When visiting the settings page again, the API token is presented again. Thus any other maintainer can grab the Grafana token and possibly abuse it.
Steps to reproduce
- Create a new project.
- Go to
https://example.gitlab.com/<namespace>/<project>/-/settings/operations
- Activate Grafana by adding an URL, and add a token
- Add another maintainer to the project and as this user, revisit
https://example.gitlab.com/<namespace>/<project>/-/settings/operations
and see the leaking token
Also view the attached screenshot showing this:
Impact
The Grafana API key is leaked to other maintainers. This is problematic because a different maintainer can simply copy this token.
When this maintainer is removed from the project, this user is still in possession of the API key. Grafana even only shows the token once (as it should be), but GitLab renders them unmasked.
What is the current bug behavior?
The GitLab settings page leaks the Grafana API token to other maintainers by showing them in plaintext.
What is the expected correct behavior?
When using tokens, do not present them in plain. Use a masked version of it.
Output of checks
This bug happens on GitLab.com
Best regards,
Xanbanx
Impact
See above.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!