Skip to content

Information leakage with references to MRs where project is public, but MRs are private

Summary

The title of an MR can be leaked if referenced, even if the project to which the MR belongs to restricts access to MRs.

Discovered on GitLab.com 8.13.0-rc3-ee

Steps to reproduce

  1. Create a public project.
  2. Modify project settings so the "Feature Visibility" setting for either "Repository" or "Merge requests" is set to "Only Team Members".
  3. Create a new merge request in the project (will need to push two divergent branches before hand). In theory, this MR should only be visible to team members.
  4. Create an issue that references this MR.
  5. In a private/incognito browsing window, view the newly created issue.

Expected behavior

The MR reference should not be a link (to a non-project-member user), and the MR title should not be shown in the "Related Merge Requests" section.

Actual behavior

The MR reference is a link (that leads to 404), and the MR title is included in the "Related Merge Requests" section.

Relevant logs and/or screenshots

Project settings: Screen_Shot_2016-10-19_at_1.42.58_PM

"Private" MR: Screen_Shot_2016-10-19_at_1.40.09_PM

View as project member (notice that I am logged in here): Screen_Shot_2016-10-19_at_1.41.06_PM

View as an anonymous user (notice that I am not logged in here): Screen_Shot_2016-10-19_at_1.42.47_PM

Additional notes

I did not check to see if the same info leakage exists for issues (i.e. if issue references leak titles when access to issues are restricted), but it might very well be the case that issue titles can also be leaked in the same manner.

Suggested labels

security ~Frontend