Skip to content

Create resource access token with email containing a random part

Gosia Ksionek requested to merge mk-383216-make-tokens-more-resilient into master

What does this MR do and why?

Closes #383216 (closed), #391434 (closed) and likely #392837 (closed).

When creating project/group access tokens, we have a pattern to create emails (project{project_id}_bot@noreply.{Gitlab.config.gitlab.host} or group{group_id}_bot@noreply.{Gitlab.config.gitlab.host}). By having this fixed pattern, attacker can add secondary, not confirmed email to their account and this way block some project/group owners from creating access tokens.

This is connected with the fact that underneath project/group token there is a bot user created and we cannot allow duplication of emails.

According to the recommendation from @bdenkovych, I have added the random string to the bot user email, making it so much harder to brute-force.

The follow-up can be limiting the number of secondary emails per user.

Screenshots or screen recordings

image

How to set up and validate locally

VICTIM ACCOUNT:

  • Sign in to a GitLab instance as victim user
  • Create a new Project (settings do not matter) and note the project id (eg.: 10)

ATTACKER ACCOUNT:

An attacker need to know the project id or the group id or use brute force approach. If there is already one or more access token created we need to add a number after the id. eg.: project10_bot1@noreply.gitlab.192.168.1.201.nip.io

VICTIM ACCOUNT:

  • Sign in to a GitLab instance as victim user
  • Go to the previously created project
  • Go to "Settings" => "Access Token"
  • Try to add a new Access Token

The victim user will be able to create new access token.

Additional check:

  1. Open rails console (rails c)
  2. Check if User.last.email - if creating an access token was the last action that you did) and see if the email contains a part with random characters before @.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #383216 (closed) #391434 (closed)

Edited by Bogdan Denkovych

Merge request reports

Loading