Skip to content

Maintainer can leak sentry token by changing the configured URL (fix bypass)

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2104591 by 70rpedo on 2023-08-09, assigned to @nmalcolm:

Report | Attachments | How To Reproduce

Report

Summary

I was just reading a disclosed issue and found a bypass to leak sentry token.
Note: This is a bypass of the patch made to this ISSUE

The patch is simply checking if the url is changed by the following in app/services/error_tracking/list_projects_service.rb:

url_changed = !setting.api_url&.start_with?(params[:api_host])

There is a security flaw in the above. Suppose for example, If a user host sentry server on example.com and attacker can obtain the example.co domain then he can easily leak the sentry token. This works because example.com starts with example.co
I have tested this using a burp collaborator link like the bellow
https://j5pruznnwl0raw6uptejk2wksby3ms.oastify.computer --> https://j5pruznnwl0raw6uptejk2wksby3ms.oastify.com

Steps to reproduce

Requirements: we need to create two user account on gitlab.com like for example User A and UserB

  1. Log in to Gitlab.com as UserA.
  2. Create a project.
  3. Go to https://gitlab.com/GROUPNAME/PROJECTNAME/-/settings/operations
  4. Expand ´Error tracking and click Sentry
  5. Configure with the server https://yourburpcolaburl.computer (this is a fake server that will let you add it with any token)
  6. Add a random token and click on save.
  7. invite UserB as maintainer of the project.
  8. Now login as UserB in gitlab.com
  9. Click on the project and change the sentry server url to https://yourburpcolaburl.com
  10. Now click connect (do not click save)
  11. Check your server and you should see a request containing the token.

step.png
Burp_Collaborator_client_001.png

CVSS

I think sentry token leak is enough to give the impact of confidentiality High and Integrity Low as the token will have both read and write access. As well as scope changed. The fact that the user needs to be a maintainer makes access required High. Feel free to modify this score if needed.

What is the current bug behavior?

The old token is sent with a connect request even if the URL has changed

What is the expected correct behavior?

Changing the URL should require adding a new token even for connect requests

Relevant logs and/or screenshots

Burp_Collaborator_client_001.png
step.png

Impact

Other users can leak the configured Sentry token, getting access to the sentry server. The token gives read and write access to the Sentry instance

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

Edited by Nick Malcolm