Group integration settings sensitive information exposed to project maintainers
HackerOne report #1796210 by vaib25vicky
on 2022-12-08, assigned to GitLab Team
:
Report
Hi,
Summary
Integration settings such as Discord and Slack notifications require webhook url which is a unique url with token that allows access to user discord/slack.
Anyone with access to this webhook url can access discord/slack and send any content/message without authentication.
So, for this reason when Gitlab discord/slack integration is configured, then Gitlab don't show the webhook url to other members of the project in the UI.
However, I've found that integration api is disclosing the webhook url to other members of the project.
This is a security issue and an attack scenario is like:
- Group owner creates a Discord integration at group level
- Project maintainers when go to Discord integration page at project level can't see the sensitive url such as webhook url
- Project maintainers uses integration api
GET /projects/:id/integrations/discord
and gain access to the group owner's Discord webhook url
Steps to reproduce
- Group owner set-up Discord integration at group level by going over
https://gitlab.com/groups/<group-name>/-/settings/integrations/discord/edit
- Lets suppose there's a project inside the group and there exists a maintainer named
foo
-
foo
uses the integration api and gain access to group owner Discord webhook url
curl --request GET \
--url https://gitlab.com/api/v4/projects/<PROJECT-ID>/integrations/discord \
--header 'Content-Type: application/json' \
--header 'PRIVATE-TOKEN: <USER-ACCESS-TOKEN>'
What is the current bug behavior?
Webhook url by Discord/Slack and similar apps are sensitive information. Gitlab protects this url in the UI but not in the api.
Even if there two owner in the project then second owner can't access tokens and sensitive urls set-up by the first owner in the integration settings.
What is the expected correct behavior?
Expected behavior here is to masked or not show the discord/slack webhook urls in api responses just like we don't show them in the website UI
Output of checks
This bug happens on GitLab.com
Impact
The webhook urls allow accessing and sending customs message in the channels in discord/slack without any authentication. If they are leaked to unauthorized user then he/she can send arbitrary messages and depending upon the configuration can use this same bug to run commands in the channels.
Thanks!
How To Reproduce
Please add reproducibility information to this section: