Kubernetes cluster token visible for all-level clusters
HackerOne report #702796 by xanbanx on 2019-09-27, assigned to @cmaxim:
Hi GitLab Security Team,
Summary
GitLab allows to add group-level Kubernetes clusters. This allows to add exisiting cluster by adding a cluster URL and a token. However, this token is not properly masked allowing everyone who can visit the cluster page to also get the Kubernetes cluster token. So everyone who is in possession of the token als get full access to the cluster.
Steps to reproduce
Tested on GitLab Enterprise Edition 12.3.0-pre 2d096e82
- Create a group and go to
https://example.gitlab.com/groups/<group-name>/-/clusters - Click on
Add existing Cluster - Fill in Kubernetes cluster name:
Test, API URL:https://foo.bar, Service Token:My Secret Tokenand save the page - Now scroll below to
Kubernetes cluster details. Here, you see the Service token being masked. However, you can reveal the the token by clicking onShowon the right side.
Now the Kubernetes token is leaked.
Impact
Kubernetes cluster token being leaked after entered to to GitLab. This allows anyone to visit the Cluster page to steal the cluster token.
What is the current bug behavior?
Kubernetes cluster token canc be revealed in Kubernetes integration.
What is the expected correct behavior?
Once the Kubernetes cluster token is entered, you cannot reveal it again, so remove the Show button.
Output of checks
This bug happens on GitLab.com
Best regards,
Xanbanx
Impact
See above.