GitLab Personal Access Token in URL

ID

gitlab_url_token

Severity

critical

Vendor

GitLab

Family

API Token

Description

A GitLab Personal Access Token are an alternative to OAuth2 authentication, used to authenticate a user with the GitLab API and with git using HTTP basic auth.

They are required when two-factor authentication (2FA) is required.

Security

Any hardcoded GitLab token reported by this detector is a potential security issue. Although they expire and have limited scopes, when leaked attackers may use them to perform unintended actions on GitLab projects managed by the user, with the privileges granted for the token.

Examples

GL_TOKEN = glpat-SNixgZ5e6NWeo1Wwga11

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Revocation is documented here.

  2. Remove the token from the source code or committed configuration file. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitLab. Anyway, always consider the token as compromised and revoke it.

  3. Check access logs to ensure that the secret was not used by unintended actors during the compromised period. GitLab displays the last used date in the profile under User Settings > Access Tokens.

  4. Additional controls can help mitigate future leaks. Setting appropriate token scopes may reduce what threat actors may do with a leaked token. In addition, the Group access and permissions for Premium/Ultimate tiers may be used for client IP whitelisting.

Reference