Skip to content

Maintainer can leak Github access tokens by changing integration URL (even after 15.2.1 patch)

HackerOne report #1656722 by joaxcar on 2022-08-01, assigned to GitLab Team:

Report | How To Reproduce

Report

Summary

In the 15.2.1 patch there was a fix for my reports that are bundled in the report https://hackerone.com/reports/1557992

The patch failed to fix at least one integration, the Github one. This integration still allows for changing the URL and leaking the configured access token.

This makes it possible for a malicious user(maintainer) to change the server to a user controlled server, where the attacker can then extract the token. The attacker needs maintainer access to the project, but should nevertheless not have access to the configured access token. The impact is the same as for my previous reports. I did mention this issue in the original report but I guess it slipped through.

Steps to reproduce

Make sure to have a webhook server where you can see incoming requests. I use https://webhook.site for my tests

You will need to generate a project with mirrored repository from Github for the integration to be enabled. So I will first describe that.

  1. Log in to github.com (note: GITHUB)
  2. Create a repository, name it anything
  3. Create an API token with "repo" scope, https://github.com/settings/tokens

Then on GITLAB:

  1. Create two users victim and attacker
  2. Log in as victim, and create a new project. Make sure to UNCHECK "initialize with README"
  3. Go to https://gitlab.com/GROUPNAME/PROJECTNAME/-/project_members
  4. Invite attacker as a maintainer to the project
  5. Go to https://gitlab.com/GROUPNAME/PROJECTNAME/-/settings/repository and expand "Mirroring repositories""
  6. Configure both a PUSH and a PULL mirroring, enter URL as https://USERNAME@github.com/REPOPATH and the generated API token as password. Make sure to check all boxes (I dont know what is needed, check everything)
  7. Now go to https://gitlab.com/GROUPNAME/PROJECTNAME/-/settings/integrations/github/edit
  8. fill in the access token HIDDEN_TOKEN and GitHub repo https://github.com/anything/anything
  9. Click save, the token field should turn empty
  10. Log in with attacker
  11. Go to https://gitlab.com/GROUPNAME/PROJECTNAME/-/settings/integrations/github/edit
  12. Enter a new value for server URL using the catch server
  13. Click Test settings
  14. Go to the catch server and see that a request have been received with the token in plain text

If the "Test settings" button is missing, there is something wrong with the repo mirroring.

Impact

User with maintainer access can leak the configured GitHub access token. This token is supposed to be hidden and will give the attacker access to the GitHub API as the victim user.

What is the current bug behavior?

Changing server URL does not reset the previous access token

What is the expected correct behavior?

When the server URL changes, the token should be deleted

Output of checks

This bug happens on GitLab.com

Impact

Leakage of sensitive tokens to other maintainers. Potentially giving the attacker access to external systems

Impact

Leakage of sensitive tokens to other maintainers. Potentially giving the attacker access to external systems

Edited by Greg Alfaro