Kubernetes cluster token visible for all-level clusters
Hi GitLab Security Team,
GitLab allows to add group-level Kubernetes clusters. This allows to add exisiting cluster by adding a cluster URL and a token. However, this token is not properly masked allowing everyone who can visit the cluster page to also get the Kubernetes cluster token. So everyone who is in possession of the token als get full access to the cluster.
Steps to reproduce
Tested on GitLab Enterprise Edition 12.3.0-pre 2d096e82
- Create a group and go to
- Click on
Add existing Cluster
- Fill in Kubernetes cluster name:
Test, API URL:
https://foo.bar, Service Token:
My Secret Tokenand save the page
- Now scroll below to
Kubernetes cluster details. Here, you see the Service token being masked. However, you can reveal the the token by clicking on
Showon the right side.
Now the Kubernetes token is leaked.
Kubernetes cluster token being leaked after entered to to GitLab. This allows anyone to visit the Cluster page to steal the cluster token.
What is the current bug behavior?
Kubernetes cluster token canc be revealed in Kubernetes integration.
What is the expected correct behavior?
Once the Kubernetes cluster token is entered, you cannot reveal it again, so remove the
Output of checks
This bug happens on GitLab.com