Forked Project's Information is Still Being Disclosed in Project API after being changed to Private
HackerOne report #575814 by ngalog
on 2019-05-10, assigned to asaba
:
Summary
In Github, once the repo goes private, all the fork relationship they had before will be erased, this is for privacy reason because once the project go private, no related info should be disclosed.
However in Gitlab, even the project goes private, the previously forked repo can still get the private project's info, i.e. the fork relationship persists. Thus disclosing info of the private project.
Steps to reproduce
- Create a new project say the name is
foo project
as user A - User B fork
foo project
, and now user B's forked project isbar project
- User A set the permission of the project to private in
https://gitlab.com/PROJECT_PATH/edit
- User B should not be able to view
https://gitlab.com/PROJECT_PATH/
anymore, which is good - However User B can still somehow spy on
foo project
by visiting the linkhttps://gitlab.com/api/v4/projects/ID_OF_BAR_PROJECT
, and the value offork_from_project
will be the info offoo project
Impact
Keep on spying on private project if it was public before
What is the current bug behavior?
Allow user to keep on spying on private project if it was public before
What is the expected correct behavior?
All fork relationship should be detached after public project goes private
Relevant logs and/or screenshots
Impact
Keep on spying on private project if it was public before
Attachments
Warning: Attachments received through HackerOne, please exercise caution!