Skip to content

Contributed projects info is still visible even user enable private profile

HackerOne report #423637 by ngalog on 2018-10-14:

Summary: From here, we know that after user enable private profile, contributed project should be hidden from public. But contributed project of user endpoint is still visible.

Steps To Reproduce:

Follow the instruction here, you will see the contributed project

Copy and paste this javascript code in gitlab.com javascript console, then you will see the info in the pop up

you can use my test account golduserngalog

a = prompt("please enter an username that enabled private profile")
$.getJSON('https://gitlab.com/users/'+a+'/contributed.json',function(data){alert(JSON.stringify(data))})

You can confirm by visiting https://gitlab.com/golduserngalog that it is really private

Impact

Contributed projects info is still visible even user enable private profile