Prometheus integration Google IAP details are not hidden, leaking account details from instance/group/project settings to other users
HackerOne report #1780770 by joaxcar
on 2022-11-21, assigned to @cmaxim:
Report
Summary
Hi team, this one has been bogging me for a while. It looks to obvious, but I thought I might report it anyhow to make sure you know about it.
Since a while back (14.10.1) GitLab have been masking sensitive integration information. Such as tokens and passwords. They have also made sure that other maintainers can leak the tokens by modifying the configured URLs (see 15.2.1). But one integration is still left fully unmasked, the Prometheus integration.
When a user configures the Prometheus integration the user have the option to add Google IAP credentials (from a Google IAP Service Account JSON file containing the accounts private token and other values). This fields is not masked and allows for any other maintainer in the project to access the configured values. What is worse is that these settings can be configured at group level, and even at instance level. When an admin of the GitLab instance configures an instance wide Prometheus integration, the Google IAP credentials from the admin configuration are fully accessible by any other user in any project.
I see no reason for why these tokens should be unmasked and also accessible for all users on the instance (when configured by an administrator). As with other credential fields the tokens should also be cleared if another user chose to modify the URL to prevent from leakage that way. As it is now, switching to custom configuration will allow a use to reuse the admin configured instance wide token.
Steps to reproduce
- Create an admin account and a normal user account (attacker)
- As the administrator log in to GitLab
- Go to https://gitlab.example.com/admin/application_settings/integrations/prometheus/edit
- Fill out the form, any url, any Client ID, and some token, example:
{
email: key.client_email,
key: key.private_key,
scopes: [*]
}
-
Click save
-
Log out and log back in as the attacker (normal user)
-
Create a new project
-
Go to https://gitlab.example.com/USERNAME/PROJECTNAME/-/settings/integrations/prometheus/edit
-
The instance wide token is fully visible
-
Also try switching to "custom settings" and notice that you can change the URL without the token being removed.
Impact
Any user can leak the instance wide Prometheus Google IAP credentials.
What is the current bug behavior?
Prometheus integration do not mask credential fields
What is the expected correct behavior?
The integration should work as the other integrations, keeping secrets hidden
Output of checks
This bug happens on GitLab.com
Impact
Any user can leak the instance wide Prometheus Google IAP credentials.
How To Reproduce
Please add reproducibility information to this section: