Leaking Private Project Namespace in Epic Change Description
Link: https://hackerone.com/reports/410428
By: @ngalog
Details: Usually Private Project Namespace is protected everywhere, not in anyway is leaked in the API calls or in front end.
However I discovered the recently introduced feature Epic is leaking the private project namespace if someone added an related issue to the epic issue.
PoC
https://gitlab.com/groups/publicgroupfortest/-/epics/1
You should able to see the namespace of my private project, the permission is set to private however the namespace is leaked in this scenario
Steps to reproduce
- Create a public group
- Create a private project within the group
- Create a confidential issue in private project
- Upgrade to group to ultimate, and add an new epic
- Add related issue by pasting the link of the confidential issue you created in step 3
Now whoever visit the epic page, is able to see the private namespace in the epic description
Impact
Leaki Private Project Namespace in Epic Change Description
Edited by Brett Walker