Endpoint for auto-completing Assignee discloses the members of private groups

HackerOne report #627507 by ngalog on 2019-06-24, assigned to estrike:

Summary

I have a project, with id 10257668, and I have invited a private group as a developer to this project. As that group is private, you should not see its membership. However, there is a way to find out project's private membership:

Correct permission check: https://gitlab.com/api/v4/projects/:project_id/members - does not disclose private group's membership.
Incorrect permission check: https://gitlab.com/autocomplete/users.json?search=&active=true&project_id=10257668&current_user=true - discloses the members of private group.

Steps to reproduce:

Login to gitlab.com.
Visit this project members page: https://gitlab.com/api/v4/projects/10257668/members. See this project has only one member.
Visit https://gitlab.com/autocomplete/users.json?search=&active=true&project_id=10257668&current_user=true. See this project has more than one member, thus disclosing the private membership.

Impact

Disclosure of members in a private group.

Proposal

The autocomplete endpoint should use the permission check from the Project Members API endpoint (https://gitlab.com/api/v4/projects/[project-id]/members).

Edited Aug 24, 2021 by Dan Jensen