Dependency scanning job info visible despite no access to repository
HackerOne report #638498 by ashish_r_padelkar
on 2019-07-09:
Summary
Hello,
When public project has below settings, none of the pipeline/job info should be visible publicly.
However, Anyone on gitlab can see the Dependency
job status and potentially other info which i think should not be visible.
I am not too sure whether Dependency List
list should be visible there in the first place. Even if its intentional, i still believe that job info should not be visible like the one below.
Steps to reproduce
- Set your project with above settings
- Visit the project as any other user and see the dependency list feature from the project menu.
- You should see the job failed message along with the link and the artifacts to download.
What is the current bug behavior?
Dependency_scanning job info visible publicly despite no access to pipelines
What is the expected correct behavior?
None of the info related to pipelines should be visible.
Output of checks
This bug happens on GitLab.com and might be on omnibus installations too!
Regards,
Ashish
Impact
Dependency scanning job info visible despite no access to repository
Attachments
Warning: Attachments received through HackerOne, please exercise caution!