Maintainer can leak Github access tokens by changing integration URL (even after 15.2.1 patch)
HackerOne report #1656722 by joaxcar
on 2022-08-01, assigned to GitLab Team
:
Report
Summary
In the 15.2.1 patch there was a fix for my reports that are bundled in the report https://hackerone.com/reports/1557992
The patch failed to fix at least one integration, the Github one. This integration still allows for changing the URL and leaking the configured access token.
This makes it possible for a malicious user(maintainer) to change the server to a user controlled server, where the attacker can then extract the token. The attacker needs maintainer access to the project, but should nevertheless not have access to the configured access token. The impact is the same as for my previous reports. I did mention this issue in the original report but I guess it slipped through.
Steps to reproduce
Make sure to have a webhook server where you can see incoming requests. I use https://webhook.site for my tests
You will need to generate a project with mirrored repository from Github for the integration to be enabled. So I will first describe that.
- Log in to github.com (note: GITHUB)
- Create a repository, name it anything
- Create an API token with "repo" scope, https://github.com/settings/tokens
Then on GITLAB:
- Create two users
victim
andattacker
- Log in as
victim
, and create a new project. Make sure to UNCHECK "initialize with README" - Go to https://gitlab.com/GROUPNAME/PROJECTNAME/-/project_members
- Invite
attacker
as a maintainer to the project - Go to https://gitlab.com/GROUPNAME/PROJECTNAME/-/settings/repository and expand "Mirroring repositories""
- Configure both a PUSH and a PULL mirroring, enter URL as https://USERNAME@github.com/REPOPATH and the generated API token as password. Make sure to check all boxes (I dont know what is needed, check everything)
- Now go to https://gitlab.com/GROUPNAME/PROJECTNAME/-/settings/integrations/github/edit
- fill in the access token
HIDDEN_TOKEN
and GitHub repo https://github.com/anything/anything - Click save, the token field should turn empty
- Log in with
attacker
- Go to https://gitlab.com/GROUPNAME/PROJECTNAME/-/settings/integrations/github/edit
- Enter a new value for server URL using the catch server
- Click
Test settings
- Go to the catch server and see that a request have been received with the token in plain text
If the "Test settings" button is missing, there is something wrong with the repo mirroring.
Impact
User with maintainer access can leak the configured GitHub access token. This token is supposed to be hidden and will give the attacker access to the GitHub API as the victim user.
What is the current bug behavior?
Changing server URL does not reset the previous access token
What is the expected correct behavior?
When the server URL changes, the token should be deleted
Output of checks
This bug happens on GitLab.com
Impact
Leakage of sensitive tokens to other maintainers. Potentially giving the attacker access to external systems
Impact
Leakage of sensitive tokens to other maintainers. Potentially giving the attacker access to external systems