and I actually suspected it was a matter of the change hiding in an absolute sea of diffs, but there's a comment on the file right below the change: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/76318/...
> (10 Jan, 2022 1 commit) JH need more complex passwords
> (30 Mar, 2022 1 commit) Revert "JH need more complex passwords"
oops
---
In case others are wondering what's up with the JiHu label and its matching "gitlab-jh" group: https://about.gitlab.com/handbook/ceo/chief-of-staff-team/ji...
Can somebody who what they were trying to do here opine on if this might have been malicious or was more likely just a honest mistake?
You'd have thought with all the code-owner functionality that GL has, they would lock down the `/lib/gitlab/auth/` files to require a security engineer to give additional signoff on top of a normal review. It looks like anyone at Gitlab can approve changes to the auth code (except LDAP): https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/C... which is terrifying if true.
Like this?
> cc @gitlab-com/gl-security/appsec
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/76318#...
I do so desperately hope it doesn't come across as throwing shade, because hindsight-2020-etc, but I do also think there was some kind of weird process breakdown here because this change somehow slipped past a "4 eyes" and an appsec review phase
Looking through the PR it looks like this file was accidentally changed, I assume with a project wide search and replace.
I could easily imagine myself missing this when reviewing the PR "oh it's just changing a whole bunch of specs, go ahead".
That's one of the major benefits of the "tree view" in MRs, because one can collapse the "spec" folder, collapse the "ee/spec" folder, and it leaves "db" and "lib/gitlab/auth" visible which should for sure set off mental alarm bells: https://docs.gitlab.com/ee/user/project/merge_requests/chang...
I think a test like this would also have found the dropbox and macos bugs that let you login to any account by using an empty password:
https://techcrunch.com/2011/06/20/dropbox-security-bug-made-...
https://arstechnica.com/information-technology/2017/11/macos...
Edit: Oh, the password was "123qweQWE!@#000000000". Technically doable with an efficient password cracker that favors common patterns. zxcvbn’s entropy estimate says it will take 10^10.5 guesses. That’s 1 week at 50k/s. That’s a hell of an integration test for most software.
But only if there's no rate limiting or increasing timeouts for wrong passwords which in most cases exists.
First of all, in code review, having merge requests touching security-sensitive code (e.g. /lib/gitlab/auth) require review by a security engineer using CODEOWNERS is the obvious process gap.
If you're paranoid, have security engineers review the diffs on all releases before they are shipped (in practice the security engineer would filter the `git diff` down to just the files you care about like `/lib/gitlab/auth/`). This is expensive, but probably not as expensive as "whoops, our Chinese subsidiary completely broke our auth for 3 months". If you have a good enough bug bounty program then I'd expect your pentesters to spot this in less than 3 months, as reading git commits to auth code is a good way to spot potential bugs as they are committed. This is hard if you're doing continuous deployment (I don't know if GL do this) but since they have numbered releases, I'm guessing (hope?) they don't run gitlab.com off the tip of master. If you're doing Continuous Deployment you need to be damn sure that your CI/CD pipeline is rock solid, and you have the right reviewers and controls on the sensitive bits of the codebase.
These are processes; you can also make this kind of error less likely at the architectural level. A general approach for larger applications is to split Auth out into its own service with its own repository, release cycle, restricted set of contributors, etc; while microservices are probably somewhere between Peak of Inflated Expectations and Trough of Disillusionment, splitting out services that require a strong security boundary is a good use-case. You can even use an OSS off-the-shelf system like https://www.keycloak.org/ to avoid having to build your own LDAP/SAML/JWT authority. (Or outsource this to Okta, though that seems a bit more dubious these days).
This is harder for GL because they have the FOSS monorepo and splitting out auth code would be awkward. But Gitlab currently deploys a bunch of components from the monorepo (https://docs.gitlab.com/ee/development/architecture.html) and if there was a separate auth component, a paranoid security team could reasonably deploy their auth service from a fork that they update in a more controlled fashion, instead of just auto-deploying all changes to security-sensitive code as appears to have been the strategy here (if security engineers actually looked at this change and OK'd it, there are bigger problems).
Looks like two security engineers actually took a look at it: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/76318#...
I go over to the website try to login with my gmail account via SSO which fails because I "already have an account". So I proceed to reset password via email alone.
After I'm in it tells me I've had an account since January 22nd 2022. Super unlikely i created the account this year, so I don't know what's going on over there, but it's not accurate bookkeeping.
