Skip to content

Dependency Proxy Credentials are Logged in Plaintext in graphql Logs

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2477062 by ac7n0w on 2024-04-24, assigned to @ngeorge1:

Report | How To Reproduce

Report

Summary

While attempting to submit a report for https://hackerone.com/reports/2466205, I made several attempts to identify why the issue could not be reproduced, which led me to go through a large number of logs.

By chance, I noticed that the plaintext credentials for the Dependency Proxy that I had added and modified were visible in /var/log/gitlab/gitlab-rails/graphql_json.log. At the time, I didn't realize anything was amiss.

It was only after successfully reproducing issue #2466205 on gitlab.com that a sense of unease set in. If I had used my actual Dependency Proxy address, then any GitLab employee with access to the logs could have obtained my credentials.

Recognizing the significant security risk this posed, I decided to report this issue.

I confirmed the vulnerability on versions v16.10.2-ee and v16.11.0-ee. To test this, you must install version 16.xx.xx-ee (not the CE version) and have a license to enable Ultimate features. If you do not have a license, you can obtain one by following the instructions in the hackerone-triage-team-gitlab-licenses.

Steps to Reproduce
  1. Install GitLab v16.11.0-ee on a server <host>, and create a project with root <repo_name>.
  2. Navigate to root/<repo_name> -> [Settings] -> [Packages and registries], and locate the Dependency Proxy settings at the bottom of the page.
  3. Enable [Enable Dependency Proxy] and enter the URL, Username, and Password, for example, you might enter the password PasswordLeakFlag.
  4. SSH into the <host> server: ssh root@<host>.
  5. Use the grep command to search for PasswordLeakFlag (a quick method, but you can also directly locate and open the graphql_json.log file where you will find the password in plaintext):
grep -r "PasswordLeakFlag" /var/log/gitlab/

Impact

  1. For GitLab self-managed instances, the Dependency Proxy credentials entered by users could be exposed to anyone with access to the logs.
  2. For gitlab.com SAST, the plaintext credentials of both users and enterprises for the Dependency Proxy are stored in logs, which may be ingested into various log analysis and statistical platforms, potentially exposing them to GitLab employees of different roles.

How To Reproduce

Please add reproducibility information to this section: