External Users can view internal snippets
Summary
If a snippet's visibility is set to "Internal" it can be viewed by an "External User". Since snippets have an easily enumerable url, this allows for an external user to scrape all snippets.
Steps to reproduce
- create a new snippet
- set visibility to "internal"
- impersonate or log in as an external user
- view snippet url
What is the current bug behavior?
external user can see the internal snippet.
What is the expected correct behavior?
As in Project visibility, external users should never be able to view internal snippets.
Relevant logs and/or screenshots
Results of GitLab environment info
System information System: Debian 8.7 Current User: git Using RVM: no Ruby Version: 2.3.3p222 Gem Version: 2.6.6 Bundler Version:1.13.7 Rake Version: 10.5.0 Redis Version: 3.2.5 Sidekiq Version:4.2.7
GitLab information Version: 8.17.4 Revision: 3d2890c8 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql URL: *** HTTP Clone URL: https:///some-group/some-project.git SSH Clone URL: git@:some-group/some-project.git Using LDAP: yes Using Omniauth: no
GitLab Shell Version: 4.1.1 Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks/ Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
no test fails.
Checking GitLab ... Finished
Possible fixes
set snippet visibility to the same permission setup that projects have regarding external users.