Skip to content

Do not expose user name if user is project bot

Serena Fang requested to merge sfang-do-not-show-token-name into master

What does this MR do?

Because project bot usernames are generated following a pattern (project_20_bot, project_20_bot1, project_20_bot2, etc), it is possible to know all of the project bot usernames for a given project. Using the username, it is possible to use the user API to GET information for all of the project bots. For a non-admin requester, this information is the bot's id, name, username, state, avatar_url, avatar_path, web_url, and custom_attributes if any. https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html

The name of the project bot user is the name of the project access token, and while the name of the token itself can't be utilized for much, it could reveal potentially sensitive information if the token name is a little too descriptive, like internal company structure, or be leveraged in a phishing attack.

This MR prevents the user's name attribute from being exposed if the user is a project bot and the API requester is not an admin.

More info in the issue (confidential): https://gitlab.com/gitlab-org/gitlab/-/issues/321298

Before:

image

After:

image

Screenshots (strongly suggested)

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Serena Fang

Merge request reports