Information leak: memberships for blocked users and not-yet-approved requests can apply
Summary
GitLab sends "project access requested" emails to blocked users.
Steps to reproduce
- Set a user in a group to be "blocked"
- Have another user request access to a group the blocked user is a developer for
Expected behavior
No emails should be sent to a blocked user
Actual behaviour
An email is sent to the blocked user. This discloses both the requestor's details, and the details of all other group members (in the To: header).
Relevant logs and/or screenshots
Here's the email I got (suitably redacted)
Return-Path: <gitlab@...>
Delivered-To: <...>
Received: from ...
Date: Tue, 30 Aug 2016 13:57:35 +0100
From: Gitlab <gitlab@...>
Reply-To: Gitlab <gitlab@...>
To: other-person-one@...,
other-person-two@...,
me@...
Subject: Request to join the ... group
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--==_mimepart_57c582bfcdc18_5ec44ea279465161";
charset=UTF-8
Content-Transfer-Encoding: 7bit
----==_mimepart_57c582bfcdc18_5ec44ea279465161
Content-Type: text/plain;
charset=UTF-8
Content-Transfer-Encoding: 7bit
someone (https://gitlab..../u/...) requested Developer access to the ... group.
https://gitlab..../groups/.../group_members
----==_mimepart_57c582bfcdc18_5ec44ea279465161
Content-Type: text/html;
charset=UTF-8
Content-Transfer-Encoding: quoted-printable
...
----==_mimepart_57c582bfcdc18_5ec44ea279465161--
Output of checks
N/a
Results of GitLab application Check
N/a
Results of GitLab environment info
N/a
Possible fixes
Assuming blocked users should not get any emails, ever, then this should just be an additional filter + check in app/services/notification_service.rb
, but I haven't checked yet.