Dependency scanning job info visible despite no access to repository

HackerOne report #638498 by ashish_r_padelkar on 2019-07-09:

Summary

Hello,

When public project has below settings, none of the pipeline/job info should be visible publicly.

However, Anyone on gitlab can see the Dependency job status and potentially other info which i think should not be visible.

I am not too sure whether Dependency List list should be visible there in the first place. Even if its intentional, i still believe that job info should not be visible like the one below.

Steps to reproduce

1. Set your project with above settings
2. Visit the project as any other user and see the dependency list feature from the project menu.
3. You should see the job failed message along with the link and the artifacts to download.

What is the current bug behavior?

Dependency_scanning job info visible publicly despite no access to pipelines

What is the expected correct behavior?

None of the info related to pipelines should be visible.

Output of checks

This bug happens on GitLab.com and might be on omnibus installations too!

Regards,
Ashish

Impact

Dependency scanning job info visible despite no access to repository

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2019-07-10_at_00.48.19.png
• Screenshot_2019-07-10_at_00.52.31.png