Last pipeline status visible in commits api despite `Only Project Members`

HackerOne report #507070 by ashish_r_padelkar on 2019-03-09, assigned to hackerjuan:

Summary:
Hello,

When public project has Pipeline visibility set to Only Project Members and rest as shown in screen shot , It is expected that none of its details should be visible to other users!

Description:

Despite above settings, The last run pipeline status is visible to other users through commit API endpoint

curl --header "PRIVATE-TOKEN: <Token>" "https://gitlab.com/api/v4/projects/<ID>/repository/commits/<CommitSha>"  

Steps To Reproduce:

1. As a project owner of public project, set visibility of pipeline to Only Project Members and rest shown in screen shot.

2. Now as a normal gitlab user, run below API

curl --header "PRIVATE-TOKEN: <Token>" "https://gitlab.com/api/v4/projects/<ID>/repository/commits/<CommitSha>"  

3. See the response.

last_pipeline":{"id":<ID>,"sha":"xyz","ref":"master","status":"failed","web_url":"https://gitlab.com/<userName>/<ProjectName>/pipelines/<ID>"},"project_id":<ID>}  

Regards,
Ashish

Impact

This information should not be visible for normal users when pipelines are set as project members only!

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2019-03-09_at_11.46.37.png