Default Branch exposed when invalid url is submitted in comments

HackerOne report #531694 by ashish_r_padelkar on 2019-04-08, assigned to estrike:

Summary

Hello,

When Public Project has below settings, none of its information related to repository should be visible to public.

However, Anybody may know the Default Branch of the repository by submitting invalid urls in issue comments

For eg, if you comment [Click](NotAValidaUrl) , it will create a link comment. When you hover over the link, the status bar at the bottom of the browser will show the link which looks like

https://gitlab.com/<UserName>/<ProjectName>/<DefaultBranch>NotAValidaUrl

From above url, anybody would know the default branch!

Steps to reproduce

1. Apply the project settings as shown above for public projects
2. Logged in as any user and comment on any issue like [Click](NotAValidaUrl)
3. Hover over the link which is created. Look at the status bar of the browser and it will show you url like below https://gitlab.com/<UserName>/<ProjectName>/<DefaultBranch>NotAValidaUrl

What is the current bug behavior?

Discloses the Default branch of the repository when it is set as Only Project Members

What is the expected correct behavior?

when Repository is set as Only Project Members, default branch should not be visible like this

Output of checks

This bug happens on GitLab.com and may be on omnibus installations too!

Regards,
Ashish

Impact

Default branch is visible when repository is Only Project Members

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2019-04-09_at_00.40.44.png