HackerOne reported issue: Private group name disclosure in nested group creation
We received this report from HackerOne that describes a way to disclose the names of all private groups:
Congratulations on the launch of GitLab 9.0! While exploring Subgroup functionality, I noticed that an unprivileged user can disclose private group names by incrementing the parent_id parameter.
Proof of Concept
To reproduce this issue, I set up a fresh GitLab 9.0 CE server and created a Private Group using the root account. Afterwards, I created an unprivileged user (no group or project assignments) and visited the below URL, disclosing the name of PrivateGroup.
Attempting to access the PrivateGroup via the standard routes (e.g. Group Page) presents the unprivileged user with the expected 404 page.
http://<instance>/groups/new?parent_id=2
Screenshot
Using this method an attacker could walk through all group ID numbers and disclose every private group name.