Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security issue: Leaks the Personal Access token to all hosting platforms #39

Open
SISheogorath opened this issue Aug 12, 2019 · 4 comments

Comments

@SISheogorath
Copy link

commented Aug 12, 2019

After checking the code a while ago and not getting any response from the author in order to perform a responsible disclosure, I decided to publish it now after 90 days.

Additional to the blog post that I published last weekend I now decided to also open an issue here, in the hopes things get fixed.

The problem:

request({
method: 'GET',
uri: url,
headers: {
"PRIVATE-TOKEN": @token,
},
resolveWithFullResponse: true,
json: true,
agentOptions: {
rejectUnauthorized: @unsecureSsl is false,
}

Which leads to:

image

Which can be solved like:

--- lib/gitlab.coffee.orig	2019-05-22 20:07:49.859165463 +0200
+++ lib/gitlab.coffee	2019-05-22 20:23:38.172858394 +0200
@@ -53,6 +53,9 @@
         )

     get: (url) =>
+        regex = /^https:\/\/gitlab.com/
+        unless regex.test(url)
+          return
         request({
             method: 'GET',
             uri: url,

All details and further ideas how to solve this can be found in @blakawk's inbox (The email was from 22nd of May 2019) or at: [link deleted].

@blakawk

This comment has been minimized.

Copy link
Owner

commented Aug 13, 2019

@SISheogorath the issue your describing is far from being a security issue and I never received any email from you previously.

Indeed, Gitlab token are currently entered by the user when configuring the plugin in order to access theirs Gitlab API on probably their personal hosting (or even hosted on Gitlab).

Consequently, the window you are showing is currently displayed to the same user that has entered the token previously, and there is currently no mean provided by Atom to hide theses token.

So I would like to thank you for not trying to promote your blog and to report wrong issues that might scare users without any reason in the future.

@blakawk blakawk closed this Aug 13, 2019

@blakawk blakawk added the invalid label Aug 13, 2019

@blakawk blakawk self-assigned this Aug 13, 2019

@SISheogorath

This comment has been minimized.

Copy link
Author

commented Aug 13, 2019

@blakawk The problem is not that the token is visible in the config, the problem is that it's send to every webserver you may cloned a repository from. I send an email to your mail address listed in your GitHub profile on 22nd of May. It was a GPG encrypted email containing all details of the problem.

As you may notice in the screenshot the token is send to github.com which shouldn't see this token at all.

Same works for any webserver that provides you a repository download and open in Atom. When you clone a repository from an attackers webserver and this attacker is logging all requests, the attacker is able to obtain the personal access token provided by the user to the plugin. Which basically grants this attack access to all repositories the user has access to, thanks to the fact that it's an API Access Token.

If you want, I can provide a more detailed PoC.

@blakawk

This comment has been minimized.

Copy link
Owner

commented Aug 13, 2019

@SISheogorath indeed I just decrypted the email you sent on 22nd of May, but you might have not sent it encrypted if you wanted prompt answer, and maybe add an introduction of yourself and what are your skills to support your report.

Anyway, there is no need to provide a more detailed PoC as I see what is the issue you are trying to qualify as security risk. Gitlab users should know that the Access Tokens shall not be disclosed publicly, at the moment they generate it from their Gitlab Account.

A clean solution would be to allow the user set the Access Token per repository, which for the sake of simplicity and because there is no mean for Atom to provide settings per repository, I did not implement at the moment. The way I see it would be to have a special Git .config section [gitlab] with two options host and token, which the plugin would retrieve using Atom API GitRepository::getConfigValue.

I thus leave this issue open and if someone wants to provide me with a pull requests, I will be more than happy to review it.

@blakawk blakawk reopened this Aug 13, 2019

@ccoenen

This comment has been minimized.

Copy link

commented Aug 13, 2019

One of the main points of Gitlab is the ability of self-hosting it, so the assumption that one uses more than a single gitlab instance is very valid. In this lies the security issue when one's token is accidentally exposed to another gitlab server.

An access token per repository or per server would help tremendously.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.