Mirror repository error reveals password in Settings UI (to maintainers)
Summary
When encountering an error in the Repo Mirroring, the error message reveals the stored password:
Steps to reproduce
- Create a repo mirror with some configuration causing an error, e.g. with an invalid URL:
git://github.com/onezoomin/logseq.git/
(use any password to test) - manually trigger repo mirror or wait for gitlab to schedule it
- See password in Error tooltip
What is the current bug behavior?
Shows ***
in URL of the UI, but reveals password in error tooltip.
What is the expected correct behavior?
Should not reveal password.
Output of checks
This bug happens on GitLab.com
Impact assessment
Any other user with at least Maintainer access can access the secret, which might be a problem in case a maintainer enters a token which promotes access to e.g. a different repo/git server, which other maintainers are not supposed to have direct access to. But for this to be an attack vector, one would need maintainer level access AND be able to produce an error, I could only think of the possibility of a DDoS on a smaller server to reveal the secret of that.
I thought about submitting this as a first hackerone report, but then could not think of a serious attack vector, so I just posted it here. But would be curious if you think I should've/could've also posted it there.