Skip to content

Issue title leakage when external issue tracker is enabled

Summary

After enabling external issue tracker it's possible to discover titles of all issues in a given GitLab instance. This exploit allows to do that for issues in private projects that we don't have access to as well as confidential issues.

Steps to reproduce

  1. Create a public project
  2. Create a merge request
  3. Comment with https://gitlab.com/gitlab-com/customers-gitlab-com/issues/158 (private project, confidential issue)
  4. Open the merge request in incognito mode
  5. Link is not changed to a reference
  6. Enable external issue tracker for the project
  7. Open the merge request in incognito mode
  8. Link is changed to a reference and it's possible to see issue title in the tooltip

Example Project

adamniedzielski/test-project-1!12

Possible fixes

Here is the bug:

module Banzai
  module ReferenceParser
    class IssueParser < BaseParser
      self.reference_type = :issue

      def nodes_visible_to_user(user, nodes)
        # It is not possible to check access rights for external issue trackers
        return nodes if project && project.external_issue_tracker
        
        # [...]
      end
    end
  end
end