Timeline activities discloses merge request ID associated with an issue to guests
HackerOne report #588876 by ashish_r_padelkar
on 2019-05-23, assigned to jmatos_bgtvf
:
Summary
Hello,
In private projects, Guests
users are not allowed to see any information related to merge requests. However, It is possible for them to see the merge request ID associated with an issue( If any) through timeline activity!
Steps to reproduce
- As an owner of private project, create a merge request for an issue using below button.
- When merge request is created, the timeline activity is also created which is then visible to Guest users in project.
What is the current bug behavior?
Timeline activity discloses the merge request ID of an issue
What is the expected correct behavior?
No information related to merge request should be visible to guest users
Output of checks
This bug happens on GitLab.com and also on omnibus installations too!
Regards,
Ashish
Impact
Guests users can see merge request ID associated with an issue in private projects!
Attachments
Warning: Attachments received through HackerOne, please exercise caution!