`unfoldered_environment_names` endpoint allows Guest users to read environments
Problem
unfoldered_environment_names
endpoint was added in !44041 (merged). This endpoint has a narrow vulnerability that Guest users can read environment names that they are not allowed to read.
Reproduce Steps:
- Create a new private group
- Create a new private project under the group
- Create a new environment in the project.
- Add a Guest user in the group.
- Sing-in as the Guest user and execute the group-level
unfoldered_environment_names
endpoint for the namespace. - The Guest user can read existing environment name
The project-level unfoldered_environment_names
doesn't have this vulnerability since read_environment
permission is correctly checked.
Reference: !44041 (diffs)
Edited by Shinya Maeda