Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 55.2k
    • Issues 55.2k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.6k
    • Merge requests 1.6k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #290985
Closed
Open
Issue created Dec 03, 2020 by GitLab SecurityBot@gitlab-securitybotReporter

Pending invitations of public groups and public projects are visible to any user

HackerOne report #1048259 by ashish_r_padelkar on 2020-12-01, assigned to @rchan-gitlab:

Report | How To Reproduce

Report

Summary

Hello,

It is possible to see pending invitations of any public group or public project by visiting the API endpoint https://gitlab.com/api/v4/groups/<ID>/invitations
https://gitlab.com/api/v4/projects/<ID>/invitations

This info is not visible in UI to guest/non members. the invites can be email Ids too, so this info shouldnt be visible to such users!

Steps to reproduce
  1. Go to any public group or public project and go the membership page. you only see confirmed members but wont see pending members.
  2. Now use below endpoints to see the pending members (invited by emails)
    https://gitlab.com/api/v4/groups/<ID>/invitations
    https://gitlab.com/api/v4/projects/<ID>/invitations
What is the current bug behavior?

Pending invites are visible to any user of public group/project

What is the expected correct behavior?

The pending invites shouldnt be visible to public.

Output of checks

This bug happens on GitLab.com

Regards,
Ashish

Impact

Pending members (including their emails) are visible to users from public group/projects

Proposal

These API endpoints should apply the same authorization policy as the equivalent UI endpoints:

  • https://gitlab.com/api/v4/groups/:id/invitations
  • https://gitlab.com/api/v4/projects/:id/invitations
Edited Aug 26, 2021 by Pavel Shutsin
Assignee
Assign to
Time tracking