Maintainer can leak Datadog API key by changing Datadog site

HackerOne report #1836466 by akadrian on 2023-01-16, assigned to @fvpotvin:

Report | Attachments | How To Reproduce

Report

Summary

This is similar to #377799 (closed).
This time URL is leaked when maintainer intentionally set Datadog Site field into invalid host and reviews logs after clicking "Test settings" button.
Gitlab will try to connect to the host but since the host name is invalid it will return information that "Host cannot be resolved or invalid"
and full URL will be added with API token.

Steps to reproduce

(Step-by-step guide to reproduce the issue, including:)

1 Create Victim Account
2 Create Attacker Account
3 Create victim-project in Victim Account
4 Invite Attacker Account to the victim-project as Maintainer
5 As Victim Go to Settings->Integration->Datadog and set Datadog Site to your Datadog Site
6 As Victim Go to Settings->Integration->Datadog and set Api Key to your Key
7 As Attacker Go to Settings->Integration->Datadog and set Datadog Site to invalid hostname such as lalalelelinvalidforsure123321.com
8 As Attacker Click "Test Settings"
9 As attacker review Recent events and notice that victim key is attached to the error

Impact

Datadog API key can be leaked. This could result in unauthorized actions on victim Datadog instance.

Impact

Datadog API key can be leaked. This could result in unauthorized actions on victim Datadog instance.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• recording-1673902364328.webm

How To Reproduce

Please add reproducibility information to this section: