Skip to content

Group integration discord settings sensitive information exposed to project maintainers

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2092521 by vaib25vicky on 2023-08-01, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Hi

A new feature is added !125621 (merged) which Allow to set different webhooks on events in Discord Integration. This new additions webhooks url are getting leaked in API responses.

In the past similar bugs are reported where webhook urls are leaked. For example, #385669 (closed) and #36632 (closed)

Steps to reproduce
  1. Group owner set-up Discord integration at group level by going over https://gitlab.com/groups/<group-name>/-/settings/integrations/discord/edit

Owner also setups different webhooks on events.

Screenshot_2023-08-01_205210.png

  1. Lets suppose there's a project inside the group and there exists a maintainer named foo
  2. foo uses the integration api and gain access to group owner Discord webhook url
curl --request GET \  
  --url https://gitlab.com/api/v4/projects/<PROJECT-ID>/integrations/discord \  
  --header 'Content-Type: application/json' \  
  --header 'PRIVATE-TOKEN: <USER-ACCESS-TOKEN>'
Output of checks

This bug happens on GitLab.com

Impact

The webhook urls allow accessing and sending customs message in the channels in discord without any authentication. If they are leaked to unauthorized user then he/she can send arbitrary messages and depending upon the configuration can use this same bug to run commands in the channels.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: