Skip to content

Creating an Access token that never expires bypassing the 1 year automatically expire functionality.

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1998426 by jeetbhdr on 2023-05-23, assigned to @nmalcolm:

Report | Attachments | How To Reproduce

Report

Summary

In the latest version of Gitlab 16.0 the creation of access token without an expire date was removed. But due to some issue in the user input validation I was able to create a token that never expires bypassing the 1 year expire date.

Steps to reproduce

1 . Login to Your GitLab account .]
2 . Go to Edit Profile ---> Access token.

Click to continue original report

3 . Here Give access token a name , an expiration date and select scope ----> Create Personal Access token and intercept the request.

POST /-/profile/personal_access_tokens HTTP/2  
Host: gitlab.com  
Cookie:   
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://gitlab.com/-/profile/personal_access_tokens  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 128  
Origin: https://gitlab.com  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
X-Bug-Bounty: jeetbhdr  
Te: trailers

personal_access_token%5Bname%5D=bbb&personal_access_token%5Bexpires_at%5D=0000-00-00&personal_access_token%5Bscopes%5D%5B%5D=api

4 . Here in the POST request body change the expires at to 0000-00-00 and send the request .
5. You will be able to create a personal access token that never expires.

  1. Using your browser's inspector, delete the expiry input
  2. Click submit and see a personal access token that doesn't expire
Impact

Bypassing the gitlab restriction that doesn't allows creating an access token that never expires.

What is the current bug behavior?

Create an access token that never expires.

What is the expected correct behavior?

According to Gitlab documentation an GITLAB access token should expire after 365 days.

Thank you for looking into my report . If you want additional information feel free to ask.

Regards,
Jeetbhdr

Impact

Bypassing the gitlab restriction that doesn't allows creating an access token that never expires.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

expiry

Edited by Nick Malcolm