Information leak: memberships for blocked users and not-yet-approved requests can apply
GitLab sends "project access requested" emails to blocked users.
Steps to reproduce
- Set a user in a group to be "blocked"
- Have another user request access to a group the blocked user is a developer for
No emails should be sent to a blocked user
An email is sent to the blocked user. This discloses both the requestor's details, and the details of all other group members (in the To: header).
Relevant logs and/or screenshots
Here's the email I got (suitably redacted)
Return-Path: <gitlab@...> Delivered-To: <...> Received: from ... Date: Tue, 30 Aug 2016 13:57:35 +0100 From: Gitlab <gitlab@...> Reply-To: Gitlab <gitlab@...> To: other-person-one@..., other-person-two@..., me@... Subject: Request to join the ... group Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--==_mimepart_57c582bfcdc18_5ec44ea279465161"; charset=UTF-8 Content-Transfer-Encoding: 7bit ----==_mimepart_57c582bfcdc18_5ec44ea279465161 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit someone (https://gitlab..../u/...) requested Developer access to the ... group. https://gitlab..../groups/.../group_members ----==_mimepart_57c582bfcdc18_5ec44ea279465161 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable ... ----==_mimepart_57c582bfcdc18_5ec44ea279465161--
Output of checks
Results of GitLab application Check
Results of GitLab environment info
Assuming blocked users should not get any emails, ever, then this should just be an additional filter + check in
app/services/notification_service.rb, but I haven't checked yet.