Download archive is allowing unauthorized private repo access

Summary

Repository "Download zip"/"Download tar.gz" are capable of retrieving the previously generated .zip or .tar.gz of another repository of the same name from a completely different user or group.

Steps to reproduce

User of a public repository named "user1/download-test" selects "Download as .zip". /user1/download-test/-/archive/master/download-test-master.zip
Before any new changes are made to "user1/download-test", user2 requests "Download zip" from "/user2/download-test". They receive the contents of the .zip produced from "/user1/download-test". /user2/download-test/-/archive/master/download-test-master.zip
User2 requests "Download as .tar.gz" of "/user2/download-test". /user1/download-test/-/archive/master/download-test-master.tar.gz
Any user can request the tar.gz from a project name download-test and receive the contents of `/user1/download-test'

Either project can be "Private" and the contents are still returned.

Example Project

This had happened in production today with projects name "ld41"

What is the current bug behavior?

Private repository contents can be retrieved with unauthenticated access.

What is the expected correct behavior?

Contents should be the proper repository.

Relevant logs and/or screenshots

https://kibana.gprd.gitlab.com/goto/69d7150f82b44af80448d5e90af99f66

Output of checks

This bug happens on GitLab.com.

Edited Apr 23, 2018 by Antony Saba