Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 46,793
    • Issues 46,793
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,547
    • Merge requests 1,547
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #55302
Closed
Open
Issue created Dec 13, 2019 by GitLab SecurityBot@gitlab-securitybotReporter

Kubernetes cluster token visible for all-level clusters

HackerOne report #702796 by xanbanx on 2019-09-27, assigned to @cmaxim:

Hi GitLab Security Team,

Summary

GitLab allows to add group-level Kubernetes clusters. This allows to add exisiting cluster by adding a cluster URL and a token. However, this token is not properly masked allowing everyone who can visit the cluster page to also get the Kubernetes cluster token. So everyone who is in possession of the token als get full access to the cluster.

Steps to reproduce

Tested on GitLab Enterprise Edition 12.3.0-pre 2d096e82

  1. Create a group and go to https://example.gitlab.com/groups/<group-name>/-/clusters
  2. Click on Add existing Cluster
  3. Fill in Kubernetes cluster name: Test, API URL: https://foo.bar, Service Token: My Secret Token and save the page
  4. Now scroll below to Kubernetes cluster details. Here, you see the Service token being masked. However, you can reveal the the token by clicking on Show on the right side.

Now the Kubernetes token is leaked.

Impact

Kubernetes cluster token being leaked after entered to to GitLab. This allows anyone to visit the Cluster page to steal the cluster token.

What is the current bug behavior?

Kubernetes cluster token canc be revealed in Kubernetes integration.

What is the expected correct behavior?

Once the Kubernetes cluster token is entered, you cannot reveal it again, so remove the Show button.

Output of checks

This bug happens on GitLab.com

Best regards,
Xanbanx

Impact

See above.

Edited Dec 20, 2019 by Daniel Gruesso
Assignee
Assign to
Time tracking