Skip to content

GitLab Next

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
GitLab FOSS
GitLab FOSS
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 0
    • Issues 0
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
    • Iterations
  • Merge requests 0
    • Merge requests 0
  • Requirements
    • Requirements
    • List
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Code Review
    • Insights
    • Issue
    • Repository
    • Value Stream
  • Snippets
    • Snippets
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.org
  • GitLab FOSSGitLab FOSS
  • Issues
  • #23548

Closed
Open
Created Oct 19, 2016 by Patrick Fiedler@rabbitfang

Information leakage with references to MRs where project is public, but MRs are private

Summary

The title of an MR can be leaked if referenced, even if the project to which the MR belongs to restricts access to MRs.

Discovered on GitLab.com 8.13.0-rc3-ee

Steps to reproduce

  1. Create a public project.
  2. Modify project settings so the "Feature Visibility" setting for either "Repository" or "Merge requests" is set to "Only Team Members".
  3. Create a new merge request in the project (will need to push two divergent branches before hand). In theory, this MR should only be visible to team members.
  4. Create an issue that references this MR.
  5. In a private/incognito browsing window, view the newly created issue.

Expected behavior

The MR reference should not be a link (to a non-project-member user), and the MR title should not be shown in the "Related Merge Requests" section.

Actual behavior

The MR reference is a link (that leads to 404), and the MR title is included in the "Related Merge Requests" section.

Relevant logs and/or screenshots

Project settings: Screen_Shot_2016-10-19_at_1.42.58_PM

"Private" MR: Screen_Shot_2016-10-19_at_1.40.09_PM

View as project member (notice that I am logged in here): Screen_Shot_2016-10-19_at_1.41.06_PM

View as an anonymous user (notice that I am not logged in here): Screen_Shot_2016-10-19_at_1.42.47_PM

Additional notes

I did not check to see if the same info leakage exists for issues (i.e. if issue references leak titles when access to issues are restricted), but it might very well be the case that issue titles can also be leaked in the same manner.

Suggested labels

security ~Frontend

Assignee
Assign to
8.14
Milestone
8.14 (Past due)
Assign milestone
Time tracking