Guests can know whether merge request template name exists or not

HackerOne report #453883 by ashish_r_padelkar on 2018-12-02:

Summary: As a guest in private project, guest can not see merge requests. So they should not see merge requests templates created at /.gitlab/merge_request_templates

Templates are created with .md extensions and are visible in a merge request dropdown. As guest can not see/create merge requests, they should not see these templates and they do not as expected!

However, there is a way to find out by brute forcing which template names exists at folder /.gitlab/merge_request_templates using responses!

Steps To Reproduce:

1. As owner of private project create 1 template at /.gitlab/merge_request_templates . Say MergeTemplate

2. Now as a guest user in a project, directly visit https://gitlab.com/<UserName>/<projectName>/templates/merge_request/MergeTemplate

3. They will see 404 error page which is correct

4. Now try with different name instead https://gitlab.com/<UserName>/<projectName>/templates/merge_request/MergeTemplateOther

5. They should see 404 here too but instead they see 500 page!!

6. So if they can guess correct (case sensitive) name of template, they can actually know that the template with the name exists !

7. So as a guest, if response is 404 , the template with name exists!. If 500, template name doesnt exists!

This may be small issue and require brute forcing but i would suggest fixing this as it should return consistent response of 404 on all names for guests

Regards, Ashish

Impact

1. Guests can know that template exists in private project
2. This may work for public projects where repository settings are Project Members Only but i have not tried that yet