Guest user can see tag names

HackerOne report #833334 by izzsec on 2020-03-28, assigned to @rchan-gitlab:

Security Implementation Issue

Summary

According to https://gitlab.com/help/user/permissions "Guest users can access GitLab Releasesfor downloading assets but are not allowed to download the source code nor see repository information like tags and commits.
By querying releases api for a project that user has guest access to they are able to see tag names under the _links.self JSON field

Steps to reproduce

1. Create new private project
2. Add a guest user
3. Go to Home --> Releases https://gitlab.com///-/releases
4. Click New Release, enter any tagname and click create tag
5. As guest user go to Releases the api page at https://gitlab.com/api/v4/projects/<project_id>/releases?per_page=20 will load
6. Check the JSON response and see the tag name under _links.self
7. Alternatively query the releases API with guest user token

curl -X GET -H "Private-Token: <PRIVATE_TOKEN>" https://gitlab.com/api/v4/projects/<project_id>/releases  

JSON snippet with _links.self and tag name

"_links": {  
      "self": "https://gitlab.com/<group>/<project>/-/releases/<tag_name>"  
    }  

Impact

Guest users can see tag names

Examples

This happens on gitlab.com.

What is the current bug behavior?

Guest users can see tag names

What is the expected correct behavior?

Tag names should not be displayed to guest users.

Impact

Guest users can see tag names