Kubernetes cluster token visible for all-level clusters

HackerOne report #702796 by xanbanx on 2019-09-27, assigned to @cmaxim:

Hi GitLab Security Team,

Summary

GitLab allows to add group-level Kubernetes clusters. This allows to add exisiting cluster by adding a cluster URL and a token. However, this token is not properly masked allowing everyone who can visit the cluster page to also get the Kubernetes cluster token. So everyone who is in possession of the token als get full access to the cluster.

Steps to reproduce

Tested on GitLab Enterprise Edition 12.3.0-pre 2d096e82

Create a group and go to https://example.gitlab.com/groups/<group-name>/-/clusters
Click on Add existing Cluster
Fill in Kubernetes cluster name: Test, API URL: https://foo.bar, Service Token: My Secret Token and save the page
Now scroll below to Kubernetes cluster details. Here, you see the Service token being masked. However, you can reveal the the token by clicking on Show on the right side.

Now the Kubernetes token is leaked.

Impact

Kubernetes cluster token being leaked after entered to to GitLab. This allows anyone to visit the Cluster page to steal the cluster token.

What is the current bug behavior?

Kubernetes cluster token canc be revealed in Kubernetes integration.

What is the expected correct behavior?

Once the Kubernetes cluster token is entered, you cannot reveal it again, so remove the Show button.

Output of checks

This bug happens on GitLab.com

Best regards,
Xanbanx

Impact

See above.

Edited Dec 20, 2019 by Daniel Gruesso