Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #271172
Closed
Open
Issue created Oct 21, 2020 by GitLab SecurityBot@gitlab-securitybotReporter

Release titles visible for any users if group milestones are associated with any project releases

HackerOne report #1012659 by ashish_r_padelkar on 2020-10-20, assigned to @ankelly:

Report

Report

Summary

Hello,

Looks like this issue appeared because of https://gitlab.com/gitlab-org/gitlab/-/issues/235391

When public group milestones are associated with private project releases, the release titles are visible for any user (non members)

Steps to reproduce
  1. Create a public group and milestone in a group. note this group must have gold tier subscription
  2. Create a private project and release within it.
  3. Associate group milestone with private project release with below API
curl --header 'Content-Type: application/json' --request PUT --data '{"name": "RELEASE FROM PROJECT", "milestones": ["GroupMilestone1"]}' --header "PRIVATE-TOKEN: <Token>" "https://gitlab.com/api/v4/projects/<ID>/releases/<Name>"  
  1. Now login as any user and access the public group milestone page https://gitlab.com/groups/<PublicGroup>/-/milestones and you should see the name of the release with milestone name. This release actually belongs to private project which you cant see or have access!
What is the current bug behavior?

Release titles visible in public group if the releases are associated with public group milestones!

What is the expected correct behavior?

Release titles shouldnt be visible when they belong to private project!

Output of checks

This bug happens on GitLab.com

Regards,
Ashish

Impact

Release titles visible for any users if public group milestones are associated with any private project releases

Edited Oct 21, 2020 by Andrew Kelly
Assignee
Assign to
Time tracking