Skip to content

Prometheus integration Google IAP details are not hidden, leaking account details from instance/group/project settings to other users

HackerOne report #1780770 by joaxcar on 2022-11-21, assigned to @cmaxim:

Report | How To Reproduce

Report

Summary

Hi team, this one has been bogging me for a while. It looks to obvious, but I thought I might report it anyhow to make sure you know about it.

Since a while back (14.10.1) GitLab have been masking sensitive integration information. Such as tokens and passwords. They have also made sure that other maintainers can leak the tokens by modifying the configured URLs (see 15.2.1). But one integration is still left fully unmasked, the Prometheus integration.

When a user configures the Prometheus integration the user have the option to add Google IAP credentials (from a Google IAP Service Account JSON file containing the accounts private token and other values). This fields is not masked and allows for any other maintainer in the project to access the configured values. What is worse is that these settings can be configured at group level, and even at instance level. When an admin of the GitLab instance configures an instance wide Prometheus integration, the Google IAP credentials from the admin configuration are fully accessible by any other user in any project.

I see no reason for why these tokens should be unmasked and also accessible for all users on the instance (when configured by an administrator). As with other credential fields the tokens should also be cleared if another user chose to modify the URL to prevent from leakage that way. As it is now, switching to custom configuration will allow a use to reuse the admin configured instance wide token.

Steps to reproduce

  1. Create an admin account and a normal user account (attacker)
  2. As the administrator log in to GitLab
  3. Go to https://gitlab.example.com/admin/application_settings/integrations/prometheus/edit
  4. Fill out the form, any url, any Client ID, and some token, example:
{
    email: key.client_email,  
    key: key.private_key,  
    scopes: [*]  
}

  1. Click save

  2. Log out and log back in as the attacker (normal user)

  3. Create a new project

  4. Go to https://gitlab.example.com/USERNAME/PROJECTNAME/-/settings/integrations/prometheus/edit

  5. The instance wide token is fully visible

  6. Also try switching to "custom settings" and notice that you can change the URL without the token being removed.

Impact

Any user can leak the instance wide Prometheus Google IAP credentials.

What is the current bug behavior?

Prometheus integration do not mask credential fields

What is the expected correct behavior?

The integration should work as the other integrations, keeping secrets hidden

Output of checks

This bug happens on GitLab.com

Impact

Any user can leak the instance wide Prometheus Google IAP credentials.

How To Reproduce

Please add reproducibility information to this section: