Creating an Access token that never expires bypassing the 1 year automatically expire functionality.
HackerOne report #1998426 by jeetbhdr
on 2023-05-23, assigned to @nmalcolm:
Report | Attachments | How To Reproduce
Report
Summary
In the latest version of Gitlab 16.0 the creation of access token without an expire date was removed. But due to some issue in the user input validation I was able to create a token that never expires bypassing the 1 year expire date.
Steps to reproduce
1 . Login to Your GitLab account .]
2 . Go to Edit Profile ---> Access token.
Click to continue original report
3 . Here Give access token a name , an expiration date and select scope ----> Create Personal Access token and intercept the request.
POST /-/profile/personal_access_tokens HTTP/2
Host: gitlab.com
Cookie:
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://gitlab.com/-/profile/personal_access_tokens
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 128
Origin: https://gitlab.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Bug-Bounty: jeetbhdr
Te: trailers
personal_access_token%5Bname%5D=bbb&personal_access_token%5Bexpires_at%5D=0000-00-00&personal_access_token%5Bscopes%5D%5B%5D=api
4 . Here in the POST request body change the expires at to 0000-00-00
and send the request .
5. You will be able to create a personal access token that never expires.
- Using your browser's inspector, delete the expiry input
- Click submit and see a personal access token that doesn't expire
Impact
Bypassing the gitlab restriction that doesn't allows creating an access token that never expires.
What is the current bug behavior?
Create an access token that never expires.
What is the expected correct behavior?
According to Gitlab documentation an GITLAB access token should expire after 365 days.
Thank you for looking into my report . If you want additional information feel free to ask.
Regards,
Jeetbhdr
Impact
Bypassing the gitlab restriction that doesn't allows creating an access token that never expires.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!