Cube API key is leaked to Developers and higher in the same group

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2502047 by yvvdwf on 2024-05-12, assigned to @ottilia_westerlund:

Report | How To Reproduce

Report

Hello,

This code exposes cube_api_key to members having at least developer role.

Reproduce at gitlab.com

  1. As maintainer (or Owner) of an existing project (or create a new project) which has Ultimate plan:
  • go to Settings / Analytics / Data source, then fill the form as you want
  1. As a project member which has Developer role:
  • go to Analyze / Analytics dashboards
  • view source code of the page
  • you should see cube_api_key value in the code

Impact

Expose cube_api_key to other project members:

  • S:C as cube_api_key can be used to access to cube.dev data source
  • PR:L as a member having Developer role can access to

Best regards,
yvvdwf

How To Reproduce

Please add reproducibility information to this section: