Skip to content

Private Merge Request in Public Project is Disclosed in Milestones

HackerOne report #453534 by ngalog on 2018-12-01:

Summary: Consider the following settings, a public project limits its MR to members only, none of the MR should be accessible by the public, however a lack of access control leaks MR title in milestones detail tab.

Steps To Reproduce (Fast):

  • Visit here
  • You should see a MR title in below, it is shown inside the tab Screen_Shot_2018-12-02_at_12.17.01_AM.png
  • Click the link, it will show 404, meaning it is private, however the title of MR is still leaked in previous step

Steps To Reproduce (Slow):

  • Create a public project with ultimate access with following config Screen_Shot_2018-12-02_at_12.18.49_AM.png
  • create a milestone
  • create a MR and associate that with the milestone you created in last step
  • As an unauthenticated user visit https://gitlab.com/:project_namespace/milestones
  • Click the milestone
  • Click Merge Request in Tab
  • Title of MR is disclosed in Tab

Impact

Private Merge Request in Public Project is Disclosed in Milestones

Attachments

Warning: Attachments received through HackerOne, please exercise caution!