Users can reply to merge request discussions despite `Only Project Members` settings (#60465) · Issues · GitLab.org / GitLab FOSS

Users can reply to merge request discussions despite `Only Project Members` settings

**[HackerOne report #512726](https://hackerone.com/reports/512726)** by `ashish_r_padelkar` on 2019-03-20, assigned to `hackerjuan`: **Summary:** Hello, When public project contains below settings, the merge request are not visible publicly! ![Screenshot_2019-03-20_at_23.45.49.png](https://h1.sec.gitlab.net/a/512726/448705/Screenshot_2019-03-20_at_23.45.49.png) However,They can see `Repository` and can comment on commit discussions! If they can guess/know the discussion ID of merge request discussions, they can reply to merge request discussions too! **Description:** When anyone reply to discussion on commit, the following POST request is sent ``` POST /<UserName>/<PublicProjectName>/notes?html=true HTTP/1.1 Host: gitlab.com Connection: close Content-Length: 498 Accept: application/json, text/plain, */* Origin: https://gitlab.com X-CSRF-Token: 1 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: 1 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: 1 utf8=%E2%9C%93&authenticity_token=1&view=inline&line_type=&merge_request_diff_head_sha=&in_reply_to_discussion_id=ff8c6cdc4b899297fc235c69f5e7c9209ddc70db&note_project_id=10776018&target_type=commit&target_id=ef531cc7ac3070e53d6c5892de0f12fda3abf21c&note%5Bnoteable_type%5D=&note%5Bnoteable_id%5D=&note%5Bcommit_id%5D=&note%5Btype%5D=&note%5Bline_code%5D=&note%5Bposition%5D=&note%5Bnote%5D=ThisReplyWillGoToMergeRequest ``` As you can see, there is a parameter named `in_reply_to_discussion_id`. If any one can know/guess this ID of any merge request discussions within ••SAME•• project, they can reply to those discussions too! ## Steps To Reproduce: 1. As a project owner, set merge requests as `Only Project Members` and Repository as `Everyone with Access` 2. As normal user, comment on any commit and capture the above request 3. Change the value of `in_reply_to_discussion_id` to a discussion ID of merge request within same project. 4. Send the request. Reply will go to merge request discussion, although you dont have any permissions on merge requests! Regards, Ashish ## Impact Guessing the Discussion ID can be difficult or may not practically possible to brute force. So how one can know the discussion ID? There may be projects where merge requests were PUBLIC before they became `Only Project Members`. In such cases, Users may know the discussions (and their ID theoretically noted down somewhere). So after merge requests becomes `Only Project Members` , they may continue to reply to those discussions which were public before! Note that this doesn't work for LOCKED merge requests! Regards, Ashish ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [Screenshot_2019-03-20_at_23.45.49.png](https://h1.sec.gitlab.net/a/512726/448705/Screenshot_2019-03-20_at_23.45.49.png)

issue