New issue ID visible when issue is moved to private project
HackerOne report #584534 by ashish_r_padelkar on 2019-05-19, assigned to estrike:
Summary
Hello,
Very low severity but i think this needs fixing.
When issue is moved to private projects, none of its information is visible publicly of new project that it is moved too.
However, anyone can still know the new issue internal ID which is still visible in json response.
Steps to reproduce
- As a project member in public project, move any issue to private project. This will close the original issue.
- Now any authenticated user can just navigate to original issue
https://gitlab.com/<GroupName>/<ProjectName>/issues/<IssueID>.json - In response , you will get a parameter name
moved_to_id. This is new issue ID which is created when this issue is moved!
What is the current bug behavior?
Anyone is able to see new issue internal ID
What is the expected correct behavior?
This information should not be visible publicly
Output of checks
This bug happens on GitLab.com and might be on omnibus installations too!
Regards,
Ashish
Impact
-
Everyone can know that issue is moved. Currently as a non member/guest, you can not determine that the issue is moved. It only shows that issue is closed in UI. However, knowing that
moved_to_idparameter exists in response shows that issue is moved to different private project! -
The new issue internal ID is visible to everyone
- Dev security issue https://dev.gitlab.org/gitlab/gitlabhq/issues/2878