`refs` available to project `Guest`

Link: https://hackerone.com/reports/404078

Details: Hi,

I have found an issue which can be used by an attacker guest user to see branches name and Tags name within project.

POC:

• Create a project with branches and tag names.
• invite a guest user and now log from guest account
• now from guest account visit: https://gitlab.com/cathaxx/private-caty/refs?search= (https://gitlab.com/username/projectname/refs?search=)

It will show you all your branches(https://gitlab.com/user/project-name/branches) and tag name(https://gitlab.com/user/project-name/tags) in the project , which is normally forbidden.

Let me know if you need any more information or if i missed something. Thanks bull

Impact

Unintended data leakage to guest user.

Notes from Security Team

~P3/~S3 since similar and more detailed information is available to guests when Public Pipelines are enables.