SAML response in logs allow replay attacks
Summary
When logging into groups via group-SAML on gitlab.com the SAML Response is captured in our logs, this is also documented in https://docs.gitlab.com/ee/user/group/saml_sso/example_saml_config.html#saml-response-example
We should redact the SAMLResponse
parameter because those responses can be replayed within their validity time.
With the broad access to our production logs this seems an unnecessary risk of potential impersonation.
Alternatively we could implement a mechanism to prevent the replay attack.
Steps to reproduce
- Intercept any group SAML login and replay it within its validity time, in result the login should succeed.
What is the current bug behavior?
SAML responses are logged and can be replayed.
What is the expected correct behavior?
Logs are redacted and/or SAML responses cannot be replayed.