Private Merge Request in Public Project is Disclosed in Milestones
HackerOne report #453534 by ngalog on 2018-12-01:
Summary: Consider the following settings, a public project limits its MR to members only, none of the MR should be accessible by the public, however a lack of access control leaks MR title in milestones detail tab.
Steps To Reproduce (Fast):
- Visit here
- You should see a MR title in below, it is shown inside the tab
- Click the link, it will show 404, meaning it is private, however the title of MR is still leaked in previous step
Steps To Reproduce (Slow):
- Create a public project with ultimate access with following config
- create a milestone
- create a MR and associate that with the milestone you created in last step
- As an unauthenticated user visit https://gitlab.com/:project_namespace/milestones
- Click the milestone
- Click Merge Request in Tab
- Title of MR is disclosed in Tab
Impact
Private Merge Request in Public Project is Disclosed in Milestones
Attachments
Warning: Attachments received through HackerOne, please exercise caution!