Impact
At least one user experienced issues when adding a new secret related to a URL root. The issue started on UTC-5 24-04-23 12:20 and was proactively discovered 14.9 days (TTD) later by one of our engagement managers who reported through our help desk [1] that when trying to add a secret in a group with Black service, the platform displayed the message There is an error :(. The problem was resolved in 5 hours (TTF), resulting in a total window of exposure of 15.1 days (WOE) [2].
Cause
The validation process for secrets overlooked the existence of multiple Root types beyond GitRoot. Consequently, when verifying the root type for secrets in the Black plan, it was identified as URLRoot instead of GitRoot, causing the validation to fail [3].
Solution
All different root types were included for validation [4].
Conclusion
The lack of awareness of the flow variation in the Black plan underscored the necessity of incorporating tests for the secret flow in this plan to ensure comprehensive coverage across different plan types. As a result, tests will be added to validate the secrets flow, aligning with existing testing practices for other plan types [5]. INCOMPLETE_PERSPECTIVE < MISSING_TEST