1704387 - github_secret available on bugzilla.mozilla.org/index.cgi when not logged in

Status: RESOLVED INVALID

(bugzilla.mozilla.org :: General, defect)

Description

[hassko Dark]

Attachment: ss.png

I've found a github secret on the source code , in different web pages .
step to reproduce :
1- go to : https://bugzilla.mozilla.org/index.cgi.
2- review the source code .
3- press ctrl+F and search for secret .
4- there u go :) .
i found it using only browser (firefox87.0 (64-bit) latest version when i report this ) and it will work on all browser because it is included the source code .

Comment 1

[:Gijs (he/him)]

It's unclear to me what the point of this token is and if it is as "secret" as the name implies. :glob, perhaps you know?

Comment 2

[:glob ✱]

This isn't a Bugzilla's GitHub secret, it's a randomly generated string to protect against some redirection attacks:

https://github.com/mozilla-bteam/bmo/blob/c79876b54589b4d90cc0e9781d8b40fbec38b25b/Bugzilla/CGI.pm#L390-L400

  # We generate a cookie and store it in the request cache
  # To initiate GitHub login, a form POSTs to github.cgi with the
  # github_secret as a parameter. It must match the github_secret cookie.
  # this prevents some types of redirection attacks.
  unless ($user->id || $self->{bz_redirecting}) {
    $self->send_cookie(
      -name     => 'github_secret',
      -value    => Bugzilla->github_secret,
      -httponly => 1
    );
  }

https://github.com/mozilla-bteam/bmo/blob/c79876b54589b4d90cc0e9781d8b40fbec38b25b/Bugzilla.pm#L209-L218

sub github_secret {
  my ($class) = @_;
  my $cache   = request_cache;
  my $cgi     = $class->cgi;

  $cache->{github_secret} //= $cgi->cookie('github_secret')
    // generate_random_password(256);

  return $cache->{github_secret};
}