Default Branch exposed when invalid url is submitted in comments
HackerOne report #531694 by ashish_r_padelkar
on 2019-04-08, assigned to estrike
:
Summary
Hello,
When Public Project has below settings, none of its information related to repository
should be visible to public.
However, Anybody may know the Default Branch
of the repository by submitting invalid urls in issue comments
For eg, if you comment [Click](NotAValidaUrl)
, it will create a link comment. When you hover over the link, the status bar at the bottom of the browser will show the link which looks like
https://gitlab.com/<UserName>/<ProjectName>/<DefaultBranch>NotAValidaUrl
From above url, anybody would know the default branch!
Steps to reproduce
- Apply the project settings as shown above for public projects
- Logged in as any user and comment on any issue like
[Click](NotAValidaUrl)
- Hover over the link which is created. Look at the status bar of the browser and it will show you url like below
https://gitlab.com/<UserName>/<ProjectName>/<DefaultBranch>NotAValidaUrl
What is the current bug behavior?
Discloses the Default branch
of the repository when it is set as Only Project Members
What is the expected correct behavior?
when Repository is set as Only Project Members
, default branch should not be visible like this
Output of checks
This bug happens on GitLab.com and may be on omnibus installations too!
Regards,
Ashish
Impact
Default branch is visible when repository is Only Project Members
Attachments
Warning: Attachments received through HackerOne, please exercise caution!