Expose Private Group's Membership in autocomplete endpoint
HackerOne report #425579 by ngalog on 2018-10-19:
Summary: The impact is exactly the same as #424465 (closed):
When you visit a public project member page, you will be able to see the normal members there, if the public project was shared with a private group, that private group is hidden from the web UI, since you are not authorised to reach that private group. However there is an autocomplete endpoint disclosing all member including the private group member in that endpoint
Steps To Reproduce:
-
Visit
https://gitlab.com/golduserngalog/gitlabexporta/project_members
, you should be able to see two members in this group only, but in fact I have shared this project with a private group with namespace privategroupwithprivatemember -
However when you visit
https://gitlab.com/golduserngalog/gitlabexporta/autocomplete_sources/members?type=Issue&type_id=2
, you will see two more members in the response, thus leaking the membership of the group privategroupwithprivatemember
Impact
This allow unauthorized user to view the membership of private group
Expose Private Group's Membership in autocomplete endpoint