Guests can see name of the groups shared in projects

HackerOne report #447817 by ashish_r_padelkar on 2018-11-20:

Summary: Hello,

There is no documentation for this i guess but i assume that Developer and lower level users can not see list of groups that is shared in projects at https://gitlab.com/<Project>/project_members

Here, they can only see individual members.

Description:

It is possible for users with Developer and lower level to see if the project is shared with groups

The endpoint responsible for this is https://gitlab.com/autocomplete/project_groups.json?project_id=<ProjectID>

This will list all the names of the group(even if private)

Steps To Reproduce:

As a Developer or lower level role, visit https://gitlab.com/<Project>/project_members . You will not see groups that are shared in this project
Now using https://gitlab.com/autocomplete/project_groups.json?project_id=<ProjectID> , you can see the names!

Supporting Material/References:

I found this endpoint in autocomplete dropdown in protected branch and protected tag at /settings/repository in Allowed to merge dropdown

Regards, Ashish

Impact

Guest can see groups shared in projects

Edited Nov 26, 2018 by Dennis Appelt