Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #389188
Closed
Open
Issue created Jan 24, 2023 by GitLab SecurityBot@gitlab-securitybotReporter

Maintainer can leak Datadog API key by changing Datadog site

HackerOne report #1836466 by akadrian on 2023-01-16, assigned to @fvpotvin:

Report | Attachments | How To Reproduce

Report

Summary

This is similar to #377799 (closed).
This time URL is leaked when maintainer intentionally set Datadog Site field into invalid host and reviews logs after clicking "Test settings" button.
Gitlab will try to connect to the host but since the host name is invalid it will return information that "Host cannot be resolved or invalid"
and full URL will be added with API token.

Steps to reproduce

(Step-by-step guide to reproduce the issue, including:)

1 Create Victim Account
2 Create Attacker Account
3 Create victim-project in Victim Account
4 Invite Attacker Account to the victim-project as Maintainer
5 As Victim Go to Settings->Integration->Datadog and set Datadog Site to your Datadog Site
6 As Victim Go to Settings->Integration->Datadog and set Api Key to your Key
7 As Attacker Go to Settings->Integration->Datadog and set Datadog Site to invalid hostname such as lalalelelinvalidforsure123321.com
8 As Attacker Click "Test Settings"
9 As attacker review Recent events and notice that victim key is attached to the error

Impact

Datadog API key can be leaked. This could result in unauthorized actions on victim Datadog instance.

Impact

Datadog API key can be leaked. This could result in unauthorized actions on victim Datadog instance.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • recording-1673902364328.webm

How To Reproduce

Please add reproducibility information to this section:

Assignee
Assign to
Time tracking