Leaking Private Project Namespace in Epic Change Description

Link:          https://hackerone.com/reports/410428
By:            @ngalog

Details: Usually Private Project Namespace is protected everywhere, not in anyway is leaked in the API calls or in front end.

However I discovered the recently introduced feature Epic is leaking the private project namespace if someone added an related issue to the epic issue.

PoC

https://gitlab.com/groups/publicgroupfortest/-/epics/1

You should able to see the namespace of my private project, the permission is set to private however the namespace is leaked in this scenario

Steps to reproduce

Create a public group
Create a private project within the group
Create a confidential issue in private project
Upgrade to group to ultimate, and add an new epic
Add related issue by pasting the link of the confidential issue you created in step 3

Now whoever visit the epic page, is able to see the private namespace in the epic description

Impact

Leaki Private Project Namespace in Epic Change Description

Edited Sep 19, 2018 by Brett Walker