Project Milestones are visible when issues are project member only in public projects

HackerOne report #452074 by ashish_r_padelkar on 2018-11-29:

Summary: Hello,

I see this https://gitlab.com/-/boards/<BoardID>/milestones.json endpoint is fixed ( i reported duplicate here #447992 .However, there is one more endpoint which reveals all the milestones for similar settings.

https://gitlab.com/<Group>/<project>/autocomplete_sources/milestones

Description:

When project is public and issues are set as Only Project Members, the issue tab is not visible publicly. Milestone tab is a sub menu of issues so it expected that milestones too are protected from public.

However, when you use quick actions in comments /milestone %milestone the following request is sent in backend

https://gitlab.com/<Group>/<project>/autocomplete_sources/milestones This reveals all the milestones from projects!

Steps To Reproduce:

Create a public project and set issues as Only Project Members
As a different user (non member), you wont see issues tab
Now visit https://gitlab.com/<Group>/<project>/autocomplete_sources/milestones in browser and it will list all the milestones of the project!

Regards, Ashish

Impact

See all the milestones of the public projects when issues are set as Only Project Members

Links

Security issue: https://dev.gitlab.org/gitlab/gitlabhq/issues/2794

Edited Feb 08, 2019 by Felipe Cardozo