Pending invitations of public groups and public projects are visible to any user
HackerOne report #1048259 by ashish_r_padelkar
on 2020-12-01, assigned to @rchan-gitlab:
Report
Summary
Hello,
It is possible to see pending invitations of any public group or public project by visiting the API endpoint https://gitlab.com/api/v4/groups/<ID>/invitations
https://gitlab.com/api/v4/projects/<ID>/invitations
This info is not visible in UI to guest/non members. the invites can be email Ids too, so this info shouldnt be visible to such users!
Steps to reproduce
- Go to any public group or public project and go the membership page. you only see confirmed members but wont see pending members.
- Now use below endpoints to see the pending members (invited by emails)
https://gitlab.com/api/v4/groups/<ID>/invitations
https://gitlab.com/api/v4/projects/<ID>/invitations
What is the current bug behavior?
Pending invites are visible to any user of public group/project
What is the expected correct behavior?
The pending invites shouldnt be visible to public.
Output of checks
This bug happens on GitLab.com
Regards,
Ashish
Impact
Pending members (including their emails) are visible to users from public group/projects
Proposal
These API endpoints should apply the same authorization policy as the equivalent UI endpoints: