Private subgroup path visible in epic timeline when child epic is added.
HackerOne report #638516 by ashish_r_padelkar on 2019-07-09, assigned to akelly:
Summary
Hello,
When public group has private sub group inside it, none of the information should be visible publicly.
However, if private sub group epic is added as a child epic to public group parent group, the timeline activity discloses the name of the private sub group.
Steps to reproduce
- Create a public group
- Create a private sub group inside it
- Create a epic inside private sub group and set its due dates
- Create an epic inside the public group
- Add the private epic to public group epic as child epic.
- now login as any other user and navigate to public group epic and see the timeline. You should see the timeline activity of epic added from private sub group which discloses private sub group path.
Examples
You can see the timeline activity here. https://gitlab.com/groups/newgroup_t/-/epics/1
You wont find the sub group in this group though as you dont have access to it.
What is the current bug behavior?
Private sub group path is visible publicly if epic is added as child epic in public group.
What is the expected correct behavior?
None of the private sub group info should be visible.
Output of checks
This bug happens on GitLab.com and might be on omnibus installations too.
Regards,
Ashish
Impact
Private sub group path visible when epic is added as child epic in public parent group epic
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
Analysis
This bug is caused by some epic resources not being checked for cross references. As this is related to issue #30163 (closed) where more resources are missing, it should address them to be relased together.
Security issue on dev.gitlab.org
Part 1: https://dev.gitlab.org/gitlab/gitlab-ee/issues/377 (Addresses Epic notes' cross references)
Part 2: https://dev.gitlab.org/gitlab/gitlabhq/issues/2920 (Addresses Label and Milestone notes' cross references)