:warning: **Please read [the process](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/developer.md) on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.** **[HackerOne report #2520722](https://hackerone.com/reports/2520722)** by `gudanggaramfilter` on 2024-05-26, assigned to `GitLab Team`: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report ##### Summary When a user forces a push, ```Update now ( )``` GitLab leaks the user's password when adding a mirror with GIT credentials. When you press in the Mirroring repositories section it displays username and password errors. ##### Steps to reproduce 1. Create a Project 2. Click Settings -> Repository 3. Click expand on Mirroring repositories 4. Enter the url ```git://00000000.01020304.rbndr.us:1339/aaaa/aaaa``` 5. Fill in your username and password (your secret) 6. Click mirror repository to create a mirror. 7. Press the ```update now``` button 8 You can see your username and password in the error message.  Additional: If you get the error message ```The remote mirror URL is invalid.``` please press update now again / recreate the URL from the first step. #### Impact Other manager-level users may see passwords from incorrect mirrors that may have been set by other managers. ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [Cuplikan_layar_2024-05-26_100819.png](https://h1.sec.gitlab.net/a/bca2f41a-c1ed-43ef-80db-582d76894a46/Cuplikan_layar_2024-05-26_100819.png) ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues