Information leakage with references to MRs where project is public, but MRs are private
Summary
The title of an MR can be leaked if referenced, even if the project to which the MR belongs to restricts access to MRs.
Discovered on GitLab.com 8.13.0-rc3-ee
Steps to reproduce
- Create a public project.
- Modify project settings so the "Feature Visibility" setting for either "Repository" or "Merge requests" is set to "Only Team Members".
- Create a new merge request in the project (will need to push two divergent branches before hand). In theory, this MR should only be visible to team members.
- Create an issue that references this MR.
- In a private/incognito browsing window, view the newly created issue.
Expected behavior
The MR reference should not be a link (to a non-project-member user), and the MR title should not be shown in the "Related Merge Requests" section.
Actual behavior
The MR reference is a link (that leads to 404), and the MR title is included in the "Related Merge Requests" section.
Relevant logs and/or screenshots
View as project member (notice that I am logged in here):
View as an anonymous user (notice that I am not logged in here):
Additional notes
I did not check to see if the same info leakage exists for issues (i.e. if issue references leak titles when access to issues are restricted), but it might very well be the case that issue titles can also be leaked in the same manner.
Suggested labels
security ~Frontend