Webhook secret tokens can be leaked by maintainer changing URL
HackerOne report #1757999 by joaxcar on 2022-11-01, assigned to @greg:
Report | How To Reproduce | Imported issue
Report
Imported from h1: #383113 (closed)
Summary
Since issue #359989 (closed) was merged, webhook secrets are now hidden for maintainers of a project after they are saved. The UI and API gives no way of retrieving the secret after configuration.
However, a maintainer with access to the project webhook settings could change the webhook URL to a different endpoint and extract the secret token via the request sent to that endpoint.
Impact
Secret webhook tokens are discoverable to project maintainers who change the webhook URL.
What is the current bug behavior?
Secret token value is retained, not reset upon changing the webhook URL.
What is the expected correct behavior?
Secret token will be reset and not retained after changing a webhook URL.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
How To Reproduce
Please add reproducibility information to this section:
- Create a new project
- Go to https://gitlab.com/GROUP/PROJECT/-/hooks and configure a webhook. Make sure you also add a secret token.
- Click save
- Invite another user to the project as a maintainer
- Log into GitLab as the newly-appointed maintainer
- Go to the project hooks as this user https://gitlab.com/GROUP/PROJECT/-/hooks
- Modify webhook URL to point to an endpoint that can be used to sniff/extract the secret token (webhook.site)
- Test the webhook
- Get secret token from request header sent to the new endpoint
- (Optional) Change webhook URL back to original URL to restore functionality and reduce likelihook of detection
Related to #381895 (closed)