Skip to content

GitLab stores AWS, Slack, Askimet, reCaptcha tokens in plaintext

HackerOne report #692439 by xanbanx on 2019-09-11, assigned to hackerjuan:

Hi GitLab security team,

Summary

I was looking at the application code and my database and observed that GitLab stores sensitive credentials in plaintext in the database. In particular, saw that the application settings store the following credentials in plaintext:

  • AWS keys for elastic search cluster
  • Askimet API key
  • reCAPTCHA site and private key
  • Slack APP_SECRET

Furthermore, these tokens are directly visible to any administrator and anyone looking at their computer. In general, it's good practice to redact entered tokens and do not show them in the user interface of GitLab.

Steps to reproduce

Tested on a local installation of GitLab Enterprise.

  1. Fill in the tokens mentioned above. Concrete values do not matter.
  2. Start a PSQL console. On a GDK you can do that via bundle exec rails db
  3. Execute the following command:
SELECT (elasticsearch_aws_access_key,elasticsearch_aws_secret_access_key,slack_app_secret,slack_app_verification_token,akismet_api_key,recaptcha_site_key,recaptcha_private_key) FROM application_settings;

This will reveal directly the tokens in plaintext.

Impact

An attacker with access to the system could read sensitive information stored in plaintext.

What is the current bug behavior?

Various tokens are stored in plaintext.

What is the expected correct behavior?

Sensitive tokens need to be stored encrypted. It seems there is already infrastructure available for that in the application settings since there are other fields already encrypted.

Relevant logs and/or screenshots

Output of checks

System information  
System:         Ubuntu 18.04  
Proxy:          no  
Current User:   xanbanx  
Using RVM:      no  
Ruby Version:   2.6.3p62  
Gem Version:    3.0.3  
Bundler Version:1.17.2  
Rake Version:   12.3.2  
Redis Version:  4.0.9  
Git Version:    2.23.0  
Sidekiq Version:5.2.7  
Go Version:     go1.12.6 linux/amd64

GitLab information  
Version:        12.3.0-pre  
Revision:       d777fa6dd9f  
Directory:      /home/xanbanx/gdk/gdk-ee/gitlab  
DB Adapter:     PostgreSQL  
DB Version:     10.10  
URL:            http://localhost:3001  
HTTP Clone URL: http://localhost:3001/some-group/some-project.git  
SSH Clone URL:  ssh://xanbanx@localhost:2222/some-group/some-project.git  
Elasticsearch:  yes  
Geo:            no  
Using LDAP:     no  
Using Omniauth: yes  
Omniauth Providers: 

GitLab Shell  
Version:        10.0.0  
Repository storage paths:  
- default:      /home/xanbanx/gdk/gdk-ee/repositories  
GitLab Shell path:              /home/xanbanx/gdk/gdk-ee/gitlab-shell  
Git:            /usr/bin/git

Best regards,
Xanbanx

Impact

See above.