73 lines
2.7 KiB
Plaintext
73 lines
2.7 KiB
Plaintext
include::../../../shared_content/secrets/description.adoc[]
|
|
|
|
== Why is this an issue?
|
|
|
|
include::../../../shared_content/secrets/rationale.adoc[]
|
|
|
|
=== What is the potential impact?
|
|
|
|
GitLab tokens are used for authentication and authorization purposes.
|
|
They are essentially access credentials that allow users or applications to
|
|
interact with the GitLab API.
|
|
|
|
With a GitLab token, you can perform various operations such as creating,
|
|
reading, updating, and deleting resources like repositories, issues, merge
|
|
requests, and more. Tokens can also be scoped to limit the permissions and
|
|
actions that can be performed.
|
|
|
|
A leaked GitLab token can have significant consequences for the security and
|
|
integrity of the associated account and resources. It exposes the account to
|
|
unauthorized access, potentially leading to data breaches and malicious actions.
|
|
The unintended audience can exploit the leaked token to gain unauthorized entry
|
|
into the GitLab account, allowing them to view, modify, or delete repositories,
|
|
issues, and other resources. This unauthorized access can result in the exposure
|
|
of sensitive data, such as proprietary code, customer information, or
|
|
confidential documents, leading to potential data breaches.
|
|
|
|
Moreover, the unintended audience can perform malicious actions within the account,
|
|
introducing vulnerabilities, injecting malicious code, or tampering with
|
|
settings. This can compromise the security of the account and the integrity of
|
|
the software development process.
|
|
|
|
Additionally, a leaked token can enable the
|
|
unintended audience to take control of the GitLab account, potentially changing
|
|
passwords, modifying settings, and adding or removing collaborators. This
|
|
account takeover can disrupt development and collaboration workflows, causing
|
|
reputational damage and operational disruptions.
|
|
|
|
Furthermore, the impact of a
|
|
leaked token extends beyond the immediate account compromise. It can have
|
|
regulatory and compliance implications, requiring organizations to report the
|
|
breach, notify affected parties, and potentially face legal and financial
|
|
consequences.
|
|
|
|
In general, the compromise of a GitLab token would lead to consequences referred to as supply chain attacks that can affect more than one's own organization.
|
|
|
|
== How to fix it
|
|
|
|
include::../../../shared_content/secrets/fix/revoke.adoc[]
|
|
|
|
include::../../../shared_content/secrets/fix/recent_use.adoc[]
|
|
|
|
include::../../../shared_content/secrets/fix/vault.adoc[]
|
|
|
|
=== Code examples
|
|
|
|
:example_secret: glpat-zcs1FfaxGnHfvzd7ExHz
|
|
:example_name: token
|
|
:example_env: TOKEN
|
|
|
|
include::../../../shared_content/secrets/examples.adoc[]
|
|
|
|
//=== How does this work?
|
|
|
|
//=== Pitfalls
|
|
|
|
//=== Going the extra mile
|
|
|
|
== Resources
|
|
|
|
include::../../../shared_content/secrets/resources/standards.adoc[]
|
|
|
|
//=== Benchmarks
|