Skip to content

GitLab Access token exposed in Sentry notification emails #89257

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
syphernl opened this issue Apr 10, 2025 · 5 comments
Open

GitLab Access token exposed in Sentry notification emails #89257

syphernl opened this issue Apr 10, 2025 · 5 comments
Assignees
@mdtro
Labels
getsentry/sentry Other Product Area: Settings - Security & Privacy

Comments

@syphernl
Copy link

Environment

SaaS (https://sentry.io/)

Steps to Reproduce

  1. Create a release (using the API, in our case trough semantic-release)
  2. A notification email is sent out (e.g. Re: Deployed version 1.7.1 to production)
  3. Underneath the Commits section a field is shown with the full URL visible (https://gitlab-ci-token:[email protected]). In an earlier release it showed the repository path (in sentry-style)

Expected Result

No access tokens to be exposed in notification emails sent out

Actual Result

Image

Product Area

Releases

Link

No response

DSN

No response

Version

No response
@getsantry
Copy link
Contributor

getsantry bot commented Apr 10, 2025

Assigning to @getsentry/support for routing ⏲️

@getsantry getsantry bot moved this to Waiting for: Support in GitHub Issues with 👀 3 Apr 10, 2025
@mdtro
Copy link
Member

mdtro commented Apr 11, 2025

@syphernl -- I'm looking in to this issue.
Could you be making commits with that URL as the commit author (ie. user.email or user.name in the gitconfig)?

The template for this email hasn't change in quite some time.

sentry/src/sentry/templates/sentry/emails/activity/release.html

Lines 58 to 69 in 0c743bb

<td class="avatar-column">
{% if user %}
{% if user.get_avatar_type == 'upload' %}
<img class="avatar" src="{% profile_photo_url user.id 36 %}">
{% elif user.get_avatar_type == 'letter_avatar' %}
{% email_avatar user.get_display_name user.get_label 36 False %}
{% else %}
{% email_avatar user.get_display_name user.get_label 36 %}
{% endif %}
{% elif commit.author %}
{% email_avatar commit.author.name commit.author.get_label 36 %}
{% else %}

@syphernl
Copy link
Author

@mdtro I noticed there were 3 repositories added without a name (in Sentry-format, e.g. Foo / Bar / Baz) but with the GitLab URL (including the token).
Since we just introduced Sentry release creation using semantic-release-sentry-releases this probably somehow triggered this repository to be added to Sentry as such.

@getsantry
Copy link
Contributor

getsantry bot commented Apr 11, 2025

Routing to @getsentry/product-owners-settings-security-privacy for triage ⏲️

@getsantry getsantry bot moved this from Waiting for: Support to Waiting for: Product Owner in GitHub Issues with 👀 3 Apr 11, 2025
@mdtro
Copy link
Member

mdtro commented Apr 11, 2025
edited
Loading

@syphernl --

Ah, I linked the wrong lines of the template. Yes, this is intended to be the repository name.

sentry/src/sentry/templates/sentry/emails/activity/release.html

Line 54 in 0c743bb

<th class="lowercase" colspan="3">{{ repo.name }}</th>

SpikeeLabs/semantic-release-sentry-releases is not maintained by Sentry. I do see in their README though that the repository URL/name has some default behavior I suspect you may be running in to (see below).

https://github.com/SpikeeLabs/semantic-release-sentry-releases/blob/6c316ee8cf52f8c93800b4811ea10b8b4f284aa8/README.md?plain=1#L60

Let me know if you still experience the same issue after updating your configuration. I'll keep this issue open for now.

@mdtro mdtro self-assigned this Apr 11, 2025
@linear linear bot added the Other label Apr 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mdtro mdtro

Labels
getsentry/sentry Other Product Area: Settings - Security & Privacy
Projects
GitHub Issues with 👀 3
Status: No status
Milestone
No milestone
Development

No branches or pull requests
3 participants
@syphernl @mdtro @dalnoki