Maintainer can leak Datadog API key by changing Datadog site
HackerOne report #1836466 by akadrian
on 2023-01-16, assigned to @fvpotvin:
Report | Attachments | How To Reproduce
Report
Summary
This is similar to #377799 (closed).
This time URL is leaked when maintainer intentionally set Datadog Site field into invalid host and reviews logs after clicking "Test settings" button.
Gitlab will try to connect to the host but since the host name is invalid it will return information that "Host cannot be resolved or invalid"
and full URL will be added with API token.
Steps to reproduce
(Step-by-step guide to reproduce the issue, including:)
1 Create Victim Account
2 Create Attacker Account
3 Create victim-project in Victim Account
4 Invite Attacker Account to the victim-project as Maintainer
5 As Victim Go to Settings->Integration->Datadog and set Datadog Site to your Datadog Site
6 As Victim Go to Settings->Integration->Datadog and set Api Key to your Key
7 As Attacker Go to Settings->Integration->Datadog and set Datadog Site to invalid hostname such as lalalelelinvalidforsure123321.com
8 As Attacker Click "Test Settings"
9 As attacker review Recent events and notice that victim key is attached to the error
Impact
Datadog API key can be leaked. This could result in unauthorized actions on victim Datadog instance.
Impact
Datadog API key can be leaked. This could result in unauthorized actions on victim Datadog instance.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: