Google Cloud Logging private key showed in plain text in GitLab UI leaking to other group owners
HackerOne report #2079154 by joaxcar
on 2023-07-21, assigned to GitLab Team
:
Report | Attachments | How To Reproduce
Report
Summary
GitLab 16.2 added functionality to use Google Cloud Logging for audit streams. See https://docs.gitlab.com/ee/administration/audit_event_streaming/#google-cloud-logging-streaming
When configuring this feature a group owner will add a Google Cloud private key to authenticate towards Google Cloud. This private key is not hidden from other owners of the group (or in other situations where others might see the screen).
This is something that GitLab usually hides (see reports https://hackerone.com/reports/1791331 and https://hackerone.com/reports/1557992 for examples of plain text webhook tokens and keys, and this https://hackerone.com/reports/1780770 for leaking google keys). The privilege required is high, but as the impact is access to another system the scope changes.
Steps to reproduce
- Create a user with
Ultimate
access (either by starting a trial or using a self hosted server) - Create a new group https://gitlab.com/groups/new
- Go to https://gitlab.com/groups/YOUR_GROUP/-/audit_events?tab=streams
- Click "add streaming destination" and select Google Cloud Logging
- Add some fake information in all fields, add something looking like a Google Cloud key in the key field
{
"type": "service_account",
"project_id": "demo-project",
"private_key_id": "f871b60d0617be19393bb66ea142887fc9621360",
"private_key": "-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----",
"client_email": "look-no-keys@demo-project.iam.gserviceaccount.com",
"client_id": "102234449335144000000",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/look-no-keys%40demo-project.iam.gserviceaccount.com"
}
-
Click save
-
Expand the created stream and see that the secret key is shown in plain text
-
optional, add another user as an owner of the group, login as that user and go to the same page to see the key
Impact
Other owners can access Google Cloud as the user that has configured the service
What is the current bug behavior?
Not redacting secrets from UI
What is the expected correct behavior?
The key fields should be considered a secret input as other similar fields
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com)
Impact
Leakage of Google Cloud private key
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: