Project Milestones are visible when issues are project member only in public projects
HackerOne report #452074 by ashish_r_padelkar on 2018-11-29:
Summary: Hello,
I see this https://gitlab.com/-/boards/<BoardID>/milestones.json
endpoint is fixed ( i reported duplicate here #447992 .However, there is one more endpoint which reveals all the milestones for similar settings.
https://gitlab.com/<Group>/<project>/autocomplete_sources/milestones
Description:
When project is public and issues are set as Only Project Members
, the issue tab is not visible publicly. Milestone
tab is a sub menu of issues so it expected that milestones too are protected from public.
However, when you use quick actions in comments /milestone %milestone
the following request is sent in backend
https://gitlab.com/<Group>/<project>/autocomplete_sources/milestones
This reveals all the milestones from projects!
Steps To Reproduce:
- Create a public project and set issues as
Only Project Members
- As a different user (non member), you wont see issues tab
- Now visit
https://gitlab.com/<Group>/<project>/autocomplete_sources/milestones
in browser and it will list all the milestones of the project!
Regards, Ashish
Impact
See all the milestones of the public projects when issues are set as Only Project Members
Links
Security issue: https://dev.gitlab.org/gitlab/gitlabhq/issues/2794