Access to pipelines and jobs via API although feature disabled

HackerOne report #448115 by xanbanx on 2018-11-21:

Hi GitLab security team,

GitLab supports CI/CD by means of pipelines containing build jobs. However, if users do not need this features, project owner can disable this feature under https://mygitlab.com/<namespace>/<project-name>/edit#js-shared-permissions. While this disables the frontend of these features, the corresponding API still gives access to pipelines and jobs.

Steps to reproduce

Tested on GitLab 11.5.0 RC13

1. Create a project, add some code such that a CI pipeline runs
2. Under https://mygitlab.com/<namespace>/<project-name>/edit#js-shared-permissions disable the CI pipelines
3. Perform the following API request:

curl --header "PRIVATE-TOKEN: <MY-TOKEN>" "https://mygitlab.example.com/api/v4/projects/<project-id>/pipelines"

This returns the past pipelines for the project. Similar to that also GET /projects/:id/pipelines/:pipeline_id succeeds. Also job information can be queried via GET /projects/:id/jobs or GET /projects/:id/pipelines/:pipeline_id/jobs

Impact

It allows users to get access to previous build information, which feature should be disabled.