Leaking Private Project Namespace in Epic Change Description
Link: https://hackerone.com/reports/410428 By: @ngalog
Details: Usually Private Project Namespace is protected everywhere, not in anyway is leaked in the API calls or in front end.
However I discovered the recently introduced feature Epic is leaking the private project namespace if someone added an related issue to the epic issue.
You should able to see the namespace of my private project, the permission is set to private however the namespace is leaked in this scenario
Steps to reproduce
- Create a public group
- Create a private project within the group
- Create a confidential issue in private project
- Upgrade to group to ultimate, and add an new epic
- Add related issue by pasting the link of the confidential issue you created in step 3
Now whoever visit the epic page, is able to see the private namespace in the epic description
Leaki Private Project Namespace in Epic Change Description