Username and password disclosed from mirror repository error message when mirroring failed

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2520722 by gudanggaramfilter on 2024-05-26, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

When a user forces a push, Update now ( ) GitLab leaks the user's password when adding a mirror with GIT credentials. When you press in the Mirroring repositories section it displays username and password errors.

Steps to reproduce
  1. Create a Project
  2. Click Settings -> Repository
  3. Click expand on Mirroring repositories
  4. Enter the url git://00000000.01020304.rbndr.us:1339/aaaa/aaaa
  5. Fill in your username and password (your secret)
  6. Click mirror repository to create a mirror.
  7. Press the update now button
    8 You can see your username and password in the error message.

Cuplikan_layar_2024-05-26_100819.png

Additional: If you get the error message The remote mirror URL is invalid. please press update now again / recreate the URL from the first step.

Impact

Other manager-level users may see passwords from incorrect mirrors that may have been set by other managers.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: