Skip to content

Maintainer can leak Datadog API key by changing integration URL

HackerOne report #1724402 by ryotak on 2022-10-06, assigned to @cmaxim:

Report | Attachments | How To Reproduce

Report

Summary

Due to the incomplete fixes for CVE-2022-2497 and CVE-2022-2882, a malicious maintainer can still leak the API key of Datadog by changing integration URL.

Description

In the patch for CVE-2022-2882, some fields of Github integration model was modified, and exposes_secrets: true was added to repository_url field.
This option enables resetting of secrets once the field is updated, which makes exfiltrating of access tokens impossible.

ee/app/models/integrations/github.rb line 22-26

    field :repository_url,  
      title: -> { s_('GithubIntegration|Repository URL') },  
      required: true,  
      exposes_secrets: true,  
      placeholder: 'https://github.com/owner/repository'

However, there are some models that are missing exposes_secrets option.
While most of these models are using their own method to reset the secrets (e.g. before_validation :reset_passwowrd), there is one exception: Datadog

app/models/integrations/jenkins.rb line 30-44

    before_validation :reset_password  
    [...]  
    def reset_password  
      # don't reset the password if a new one is provided  
      if (jenkins_url_changed? || username.blank?) && !password_touched?  
        self.password = nil  
      end  
    end

In Datadog model, there are no validations for exposing the secrets, which allows a malicious maintainer to leak API keys by changing integration URL.

app/models/integrations/datadog.rb line 25

      validates :api_url, public_url: { allow_blank: true }
Steps to reproduce

(These steps to reproduce assumes that you're using gitlab.com. If you're using a self-hosted instance, you may need to prepare a GitLab runner.)

  1. Prepare 2 GitLab accounts. (Called account A and account B below)
  2. Create a project with account A and upload .gitlab-ci.yml to the repository.
  3. In Settings -> Integrations -> Datadog, enable a Datadog integration and enter a new API key. (This API key can be a random string)
  4. In Project information -> Members, invite account B with the Maintainer permission.
  5. Login to account B, and open a project created in step 2.
  6. In Settings -> Integrations -> Datadog, fill the API URL to a server that you can read the request log. (I'd recommend https://requestbin.com/ if you need a server.)
  7. Click Test settings.
  8. Confirm the API key of Datadog is sent to the server.

If you have any troubles with these steps to reproduce, please check the video attached to this report.

Examples

Example repository that demonstrated the vulnerability: https://gitlab.com/Ry0taK/maintainer-integration-leak
As this repository is private, please let me know if you need to access this repository.

What is the current bug behavior?

Access tokens for Datadog integration are keep remaining even after changing the API URLs.

What is the expected correct behavior?

Access tokens for Datadog integration should be cleared once API URLs are changed.

Suggested fix

Add exposes_secrets: true to api_url of Datadog integration model.

Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
System information  
System:         Ubuntu 20.04  
Proxy:          no  
Current User:   git  
Using RVM:      no  
Ruby Version:   2.7.5p203  
Gem Version:    3.1.6  
Bundler Version:2.3.15  
Rake Version:   13.0.6  
Redis Version:  6.2.7  
Sidekiq Version:6.4.2  
Go Version:     unknown

GitLab information  
Version:        15.4.1-ee  
Revision:       7b2ed8f038f  
Directory:      /opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:     PostgreSQL  
DB Version:     13.6  
URL:            https://gl.ryotak.me  
HTTP Clone URL: https://gl.ryotak.me/some-group/some-project.git  
SSH Clone URL:  git@gl.ryotak.me:some-group/some-project.git  
Elasticsearch:  no  
Geo:            no  
Using LDAP:     no  
Using Omniauth: yes  
Omniauth Providers:

GitLab Shell  
Version:        14.10.0  
Repository storage paths:  
- default:      /var/opt/gitlab/git-data/repositories  
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell
Impact

A malicious maintainer can leak Datadog API key, and modify/exfiltrate information on Datadog.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

Edited by Costel Maxim