Create resource access token with email containing a random part
What does this MR do and why?
Closes #383216 (closed), #391434 (closed) and likely #392837 (closed).
When creating project/group access tokens, we have a pattern to create emails (project{project_id}_bot@noreply.{Gitlab.config.gitlab.host}
or group{group_id}_bot@noreply.{Gitlab.config.gitlab.host}
). By having this fixed pattern, attacker can add secondary, not confirmed email to their account and this way block some project/group owners from creating access tokens.
This is connected with the fact that underneath project/group token there is a bot user created and we cannot allow duplication of emails.
According to the recommendation from @bdenkovych, I have added the random string to the bot user email, making it so much harder to brute-force.
The follow-up can be limiting the number of secondary emails per user.
Screenshots or screen recordings
How to set up and validate locally
VICTIM ACCOUNT:
- Sign in to a GitLab instance as victim user
- Create a new Project (settings do not matter) and note the project id (eg.: 10)
ATTACKER ACCOUNT:
- Sign in to a GitLab instance as attacker user
- Go to "Edit Profile" => "Emails":
- To deny a project access token add a new email address as:
project#{resource.id}_bot@noreply.#{Gitlab.config.gitlab.host}
eg.: project10_bot@noreply.gitlab.192.168.1.201.nip.io - To deny a group access token add a new email address as:
group#{resource.id}_bot@noreply.#{Gitlab.config.gitlab.host}
eg.: group10_bot@noreply.gitlab.192.168.1.201.nip.io
- To deny a project access token add a new email address as:
An attacker need to know the project id or the group id or use brute force approach. If there is already one or more access token created we need to add a number after the id. eg.: project10_bot1@noreply.gitlab.192.168.1.201.nip.io
VICTIM ACCOUNT:
- Sign in to a GitLab instance as victim user
- Go to the previously created project
- Go to "Settings" => "Access Token"
- Try to add a new
Access Token
The victim user will be able to create new access token.
Additional check:
- Open rails console (
rails c
) - Check if
User.last.email
- if creating an access token was the last action that you did) and see if the email contains a part with random characters before@
.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #383216 (closed) #391434 (closed)