Moving an issue to private repo leaks namespace and project name
HackerOne report #506157 by xanbanx
on 2019-03-07, assigned to asaba
:
In the latest release of GitLab, moved issues contain a link in the web interface to the new issue.
When moving an issue to a private project, the namespace and project name is leaked to any user who can see the original issue through the closed (moved)
badge, which contains a link to the new issue.
Steps to reproduce
Tested on GitLab 11.9.0-rc3-ee
- Create a public repo and create an issue on that project
- Create a private repo
- From the user interface, move the issue from the private project
By moving the issue, the issue automatically gets closed. What's new, in the latest release is that the closed badge contains a link to the moved issue, now in a private project.
This link is also visible for unauthorized users. When visiting the closed issue without being logged in, the link in the closed (moved)
badge leaks the namespace and project name of the private project.
Steps to mitigate
Similar to system notes, do not show the link to the moved issue if the user does not have access to the other project.
Impact
The namespace and project name is leaked to unauthorized users when visiting a moved issue.