Disclosure of Merge Request ID to Unauthorized Users
Summary
When an issue is closed via a merge request, the email notification to users which have access to issues, but not the repository, will include a reference to the merge request. This includes users, which are:
- Guests in private projects
- Non-project users in public/internal project where access to the repository has been limited to
Project Members Only
.
Steps to reproduce
- Create private project with user2 as a Guest
- Create an issue
- Tag user2 in issue so that they receive notifications
- Create a merge request, which closes the issue
- Merge the merge request to close the issue
What is the current bug behavior?
User2 above will receive an email with the following text
Issue was closed by User1 via merge request!1
What is the expected correct behavior?
The merge request reference should not be included in the email.
Output of checks
This happens on GitLab.com
Possible fixes
https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/helpers/emails_helper.rb#L91 does not validate the user has permission to reference the Merge Request before including the reference in email body.
Edited by Ethan Strike