GitLab stores AWS, Slack, Askimet, reCaptcha tokens in plaintext
HackerOne report #692439 by xanbanx
on 2019-09-11, assigned to hackerjuan
:
Hi GitLab security team,
Summary
I was looking at the application code and my database and observed that GitLab stores sensitive credentials in plaintext in the database. In particular, saw that the application settings store the following credentials in plaintext:
- AWS keys for elastic search cluster
- Askimet API key
- reCAPTCHA site and private key
- Slack APP_SECRET
Furthermore, these tokens are directly visible to any administrator and anyone looking at their computer. In general, it's good practice to redact entered tokens and do not show them in the user interface of GitLab.
Steps to reproduce
Tested on a local installation of GitLab Enterprise.
- Fill in the tokens mentioned above. Concrete values do not matter.
- Start a PSQL console. On a GDK you can do that via
bundle exec rails db
- Execute the following command:
SELECT (elasticsearch_aws_access_key,elasticsearch_aws_secret_access_key,slack_app_secret,slack_app_verification_token,akismet_api_key,recaptcha_site_key,recaptcha_private_key) FROM application_settings;
This will reveal directly the tokens in plaintext.
Impact
An attacker with access to the system could read sensitive information stored in plaintext.
What is the current bug behavior?
Various tokens are stored in plaintext.
What is the expected correct behavior?
Sensitive tokens need to be stored encrypted. It seems there is already infrastructure available for that in the application settings since there are other fields already encrypted.
Relevant logs and/or screenshots
Output of checks
System information
System: Ubuntu 18.04
Proxy: no
Current User: xanbanx
Using RVM: no
Ruby Version: 2.6.3p62
Gem Version: 3.0.3
Bundler Version:1.17.2
Rake Version: 12.3.2
Redis Version: 4.0.9
Git Version: 2.23.0
Sidekiq Version:5.2.7
Go Version: go1.12.6 linux/amd64
GitLab information
Version: 12.3.0-pre
Revision: d777fa6dd9f
Directory: /home/xanbanx/gdk/gdk-ee/gitlab
DB Adapter: PostgreSQL
DB Version: 10.10
URL: http://localhost:3001
HTTP Clone URL: http://localhost:3001/some-group/some-project.git
SSH Clone URL: ssh://xanbanx@localhost:2222/some-group/some-project.git
Elasticsearch: yes
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 10.0.0
Repository storage paths:
- default: /home/xanbanx/gdk/gdk-ee/repositories
GitLab Shell path: /home/xanbanx/gdk/gdk-ee/gitlab-shell
Git: /usr/bin/git
Best regards,
Xanbanx
Impact
See above.