Number of related merge requests leaked to users with no merge request access
HackerOne report #506142 by xanbanx
on 2019-03-07, assigned to hackerjuan
:
GitLab added a new API response field in the latest release.
The issues API returns the number of related merge requests.
However, this is also shown to users who do not have access to merge requests.
Steps to reproduce
Tested on GitLab 11.9.0-rc3-ee
- Create a public project with the repository restricted to project members
- Create an issue and a related merge request, which closes this issue
- As a non-project member, perform the following API call:
curl --header "PRIVATE-TOKEN: <your-PAT>" "https://gitlab.example.com/api/v4/projects/<project-id>/issues"
This returns a response similar to that:
[
{
"id": 244,
"iid": 1,
"project_id": 15,
"title": "Test Issue",
"description": "",
"state": "opened",
"created_at": "2019-03-07T12:55:13.412Z",
"updated_at": "2019-03-07T12:55:13.412Z",
"closed_at": null,
"closed_by": null,
"labels": [],
"milestone": null,
"assignees": [],
"author": {
"id": 1,
"name": "Administrator",
"username": "root",
"state": "active",
"avatar_url": "https://www.gravatar.com/avatar/e64c7d89f26bd1972efa854d13d7dd61?s=80&d=identicon",
"web_url": "http://localhost:3000/root"
},
"assignee": null,
"user_notes_count": 0,
"merge_requests_count": 1,
"upvotes": 0,
"downvotes": 0,
"due_date": null,
"confidential": false,
"discussion_locked": null,
"web_url": "http://localhost:3000/root/test/issues/1",
"time_stats": {
"time_estimate": 0,
"total_time_spent": 0,
"human_time_estimate": null,
"human_total_time_spent": null
}
}
]
You see, this includes the field merge_requests_count
, which should be restricted to users who have access to merge requests.
Steps to mitigate
Do not show the number of merge requests when users do not have access to merge requests.
Impact
Users know the number of related merge requests.
Edited by Alexander Dietrich