POST requests are appending the parameters to the URL.
The Retrofit POST requests in the GitLab interface appear to appending the request parameters to the URL using the @Query
annotation. This becomes a security issue on login because the user's credentials are exposed in the URL, example log:
.../com.commit451.gitlab I/TimberRequestInterceptor﹕ Sending request https://gitlab.com/api/v3/session?login=***&password=***
Recommendation: Using application/x-www-form-urlencoded MIME type by modifying the service methods as follows:
@FormUrlEncoded
@POST(API_VERSION + "/session")
Call<Session> getSessionByUsername(@Field("login") String login,
@Field("password") String password);
This ensures the user's credentials are not exposed in the URL.