Disclosure of Labels and Milestones in Public Project With 'Only Project Members' Enabled for Issues

HackerOne report #505892 by rafiem on 2019-03-07, assigned to hackerjuan:

Hi Team,

Summary

I have found information disclosure of labels and milestones in public project.This disclosure can be happened when 'Only Project Members' feature enabled for Issues.That feature mean that only project members can view/access the information regarding issue like milestone and label.But, in this case non-project members can access the milestones and labels.

Description

An information disclosure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.In this case,non project members have access to labels and milestones despite that 'Only Project Members' feature enabled for issues in the public project.

Steps To Reproduce

1.)User A make public project
2.)User A then enabled 'Only Project Members' feature for issues on : https://gitlab.com/[user]/[project name]/edit
3.)Milestones and lables page can still be accessed by non-project members directly on : https://gitlab.com/[user]/[project name]/milestones and https://gitlab.com/[user]/[project name]/labels
4.)The label and milestone name also disclosed on merge request

<>PoC video attached

Impact

Disclosing Label and Milestone to non-project member having that project enabled 'Only Project Members' for Issues.

Best Regards,
@rafiem

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Disclosed_Label_and_Milestone.mp4