Number of open issues and MRs leaked through new project list
HackerOne report #480960 by xanbanx on 2019-01-16, assigned to asaba:
Lately, GitLab redesigned the projects overview page. Now, this page also includes the number of open issues, number of open merge requests, and number of forks. However, this information is leaking to users with restricted project access. For public and internal projects, this information is leaked when the project's issues and MRs are configured to be accessible only by project members. For private projects, the number of MRs is leaked also to Guest project members, who, according to the GitLab permission system, don't have access to MRs.
Steps to reproduce
Tested on GitLab 11.7.0-rc5-ee
- Create a public project, restrict the access of issues and merge requests to project members only. In this example, I named the project
test-project-page - Create new issue and a merge request in this project
- As a non-project member, visit the projects page. Here you can search for the project since it's public by visiting the page:
https://example.gitlab.com/explore/projects?utf8=%E2%9C%93&name=test-project-page&sort=latest_activity_desc - The search result is leaking the number of issues and merge requests, although as a non-project member, you don't have access to this. You can also see this in the attached screenshot.
Steps to mitigate
Only display number of issues or MRs if user has permission to it
Impact
Users who don't have access to issues and MRs the number of open items.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!