Release titles visible for any users if group milestones are associated with any project releases

HackerOne report #1012659 by ashish_r_padelkar on 2020-10-20, assigned to @ankelly:

Summary

Hello,

Looks like this issue appeared because of https://gitlab.com/gitlab-org/gitlab/-/issues/235391

When public group milestones are associated with private project releases, the release titles are visible for any user (non members)

Steps to reproduce

Create a public group and milestone in a group. note this group must have gold tier subscription
Create a private project and release within it.
Associate group milestone with private project release with below API

curl --header &#39;Content-Type: application/json&#39; --request PUT --data &#39;{&#34;name&#34;: &#34;RELEASE FROM PROJECT&#34;, &#34;milestones&#34;: [&#34;GroupMilestone1&#34;]}&#39; --header &#34;PRIVATE-TOKEN: &lt;Token&gt;&#34; &#34;https://gitlab.com/api/v4/projects/&lt;ID&gt;/releases/&lt;Name&gt;&#34;

Now login as any user and access the public group milestone page https://gitlab.com/groups/<PublicGroup>/-/milestones and you should see the name of the release with milestone name. This release actually belongs to private project which you cant see or have access!

What is the current bug behavior?

Release titles visible in public group if the releases are associated with public group milestones!

What is the expected correct behavior?

Release titles shouldnt be visible when they belong to private project!

Output of checks

This bug happens on GitLab.com

Regards,
Ashish

Impact

Release titles visible for any users if public group milestones are associated with any private project releases

Edited Oct 21, 2020 by Andrew Kelly