introducing GitLab Plugin analogous to GitHubTokenDetector

[pafmaf]

As (partially) described on:

• https://docs.gitlab.com/ee/security/token_overview.html#gitlab-tokens
• https://github.com/gitlabhq/gitlabhq/blob/master/gems/gitlab-secret_detection/lib/gitleaks.toml#L6-L76
• https://gitlab.com/gitlab-org/gitlab/-/issues/427011
• https://gitlab.com/groups/gitlab-org/-/epics/8923

(I have no experience with Ruby/Rails, but figured out most of the token form from the code and parts from the issues referenced above and can confirm with the 'official' gitleaks.toml and the current GitLab version.)

---

Tokens

There are 2 main ways to create tokens in GitLab:

• Devise.friendly_token(N) (or SecureRandom.urlsafe_base64 ref )return a base64 URL-safe (-'friendly') string that may contain underscores or dashes _ / -. This method is used for the common tokens like Project Access Tokens . Those are typically of the form: glpat-[a-zA-Z_\-]{20}, ie. ~20 char token 'suffix' with a set of prefixes separated by -, as documented on the site referenced above.
  E.g.: glpat-xXy_yyyZxy2892-28-AB.

  • afaics, this is used for
    • Personal Access Token - glpat
    • Deploy Token - gldt
    • Feed Token - glft
    • OAuth Access Token - glsoat
    • Runner Token - glrt
    • From what I can see in the code, Agent Tokens (glagent) have a length of 50 chars, tests say even >= 50: code, tests

• the SecureRandom lib is used in different ways for different types of token, sometimes it's encoded into hex (base-16), sometimes base-64, but not necessarily URL-friendly, etc. These don't necessarily contain -/_.

  • Tigger Token (glptt), for example, is SecureRandom.hex(20), 40 (not 20) hexadecimal characters, so no -/_, just [a-f0-9] e.g. glptt-be8f1262d76a3bef8397633d277629ab78582e47
  • Oauth Application Secret (gloas) is SecureRandom.hex(32)
  • Incoming Mail Token (glimt) is SecureRandom.hex.to_i(16).to_s(36) 🤷
  • ...

I've decided to go with 20 to 50 chars per token and [a-zA-Z_\-] - not only hex - to be on the safe side, since the implementation or GitLab settings may change etc.

---

• Please check if the PR fulfills these requirements

• Tests for the changes have been added

• Docs have been added / updated

• All CI checks are green

• What kind of change does this PR introduce?

Feature: Plugin for GitLab tokens with a certain prefix contained in the documented prefix-list.

• What is the current behavior?

We only found GitHub. :)

• What is the new behavior (if this is a feature change)?

Strings like glpat-XYXYXYXYXY, gldt-XYXYXYXYXY and glagent-XYXYXYX... get flagged as well.

• Does this PR introduce a breaking change?

no

• Other information:

[angelo-v]

Is there anything missing to merge this? I find it very helpful

[lorenzodb1]

@angelo-v apologies, I just need to find some time in my schedule to properly review this. Is there any urgency on your side to see this merged and released?

[pafmaf]

Thanks for your time!!

Is there any urgency

Well, it'd be cool if we could use this soonish with a new release in our projects / repos, but we could work around by using custom plugins for now.

Since the tokens are fairly short / low-entropy (I think there was a discussion about that somewhere), most types get ignored by all the other checks at this time.
😮 I was initially surprised that I was able to commit PATs when evaluating detect-secrets.

There's not much logic / magic to review really. GitLab just decided to add a prefix to some of their tokens, and I don't think it would cause any issues. The biggest problem was figuring out their length.

Quickest way to check the format is probably with their own gitleaks config:
https://github.com/gitlabhq/gitlabhq/blob/master/gems/gitlab-secret_detection/lib/gitleaks.toml#L6-L76

[lorenzodb1]

Apologies for the wait and thank you for your contribution @pafmaf! We'll include this in our next release (roughly at the end of this month).