New issue ID visible when issue is moved to private project

HackerOne report #584534 by ashish_r_padelkar on 2019-05-19, assigned to estrike:

Summary

Hello,

Very low severity but i think this needs fixing.

When issue is moved to private projects, none of its information is visible publicly of new project that it is moved too.

However, anyone can still know the new issue internal ID which is still visible in json response.

Steps to reproduce

1. As a project member in public project, move any issue to private project. This will close the original issue.
2. Now any authenticated user can just navigate to original issue https://gitlab.com/<GroupName>/<ProjectName>/issues/<IssueID>.json
3. In response , you will get a parameter name moved_to_id . This is new issue ID which is created when this issue is moved!

What is the current bug behavior?

Anyone is able to see new issue internal ID

What is the expected correct behavior?

This information should not be visible publicly

Output of checks

This bug happens on GitLab.com and might be on omnibus installations too!

Regards,
Ashish

Impact

1. Everyone can know that issue is moved. Currently as a non member/guest, you can not determine that the issue is moved. It only shows that issue is closed in UI. However, knowing that moved_to_id parameter exists in response shows that issue is moved to different private project!

2. The new issue internal ID is visible to everyone

• Dev security issue https://dev.gitlab.org/gitlab/gitlabhq/issues/2878