Skip to content

Google Cloud Logging private key showed in plain text in GitLab UI leaking to other group owners

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2079154 by joaxcar on 2023-07-21, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

GitLab 16.2 added functionality to use Google Cloud Logging for audit streams. See https://docs.gitlab.com/ee/administration/audit_event_streaming/#google-cloud-logging-streaming

When configuring this feature a group owner will add a Google Cloud private key to authenticate towards Google Cloud. This private key is not hidden from other owners of the group (or in other situations where others might see the screen).

This is something that GitLab usually hides (see reports https://hackerone.com/reports/1791331 and https://hackerone.com/reports/1557992 for examples of plain text webhook tokens and keys, and this https://hackerone.com/reports/1780770 for leaking google keys). The privilege required is high, but as the impact is access to another system the scope changes.

Steps to reproduce
  1. Create a user with Ultimate access (either by starting a trial or using a self hosted server)
  2. Create a new group https://gitlab.com/groups/new
  3. Go to https://gitlab.com/groups/YOUR_GROUP/-/audit_events?tab=streams
  4. Click "add streaming destination" and select Google Cloud Logging
  5. Add some fake information in all fields, add something looking like a Google Cloud key in the key field
{
  "type": "service_account",  
  "project_id": "demo-project",  
  "private_key_id": "f871b60d0617be19393bb66ea142887fc9621360",  
  "private_key": "-----BEGIN RSA PRIVATE KEY-----  
...  
-----END RSA PRIVATE KEY-----",  
  "client_email": "look-no-keys@demo-project.iam.gserviceaccount.com",  
  "client_id": "102234449335144000000",  
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",  
  "token_uri": "https://oauth2.googleapis.com/token",  
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",  
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/look-no-keys%40demo-project.iam.gserviceaccount.com"  
}

  1. Click save

  2. Expand the created stream and see that the secret key is shown in plain text

  3. optional, add another user as an owner of the group, login as that user and go to the same page to see the key

Impact

Other owners can access Google Cloud as the user that has configured the service

What is the current bug behavior?

Not redacting secrets from UI

What is the expected correct behavior?

The key fields should be considered a secret input as other similar fields

Relevant logs and/or screenshots
Output of checks

This bug happens on GitLab.com)

Impact

Leakage of Google Cloud private key

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

Design

When user open a destination to try to edit When user click on add a new private key When user put the new private key Gif of interaction
Link of google cloud service link to the place where user can login to their google cloud account after user want to add a new key, a text field and a cancel button show up after user put in the key, the update destination button is enabled
new-3rd-party-private-key-1 2-new-3rd-party-private-key-2 new-3rd-party-private-key-3 update-key
Edited by Kevin Morrison