Private project path & Resource_label_events API reveals labels from Private project if the issue is moved to public project.

HackerOne report #643854 by ashish_r_padelkar on 2019-07-15, assigned to akelly:

dev issue: https://dev.gitlab.org/gitlab/gitlabhq/issues/2919

Summary

Hello,

When issue is moved from private project to public project, the label events are visible to any user on timeline. However, they can see the Private project Path including label IDs because the issue was moved from private to public.

Also, The below API reveals the names of these labels too. This should not be disclosed as these labels belonged to private projects.

https://gitlab.com/api/v4/projects/<Project_ID>/issues/<Current_Issue_ID>/resource_label_events

Steps to reproduce

  1. Create an issue in your private project.
  2. Apply labels to it ( repeat this multiple times by adding removing new labels)
  3. Now move this issue in one of your public project.
  4. Login as non member.
  5. Visit the above issue in public project. You will see that issue has lot of label events which discloses the label ID along with private project path from which the issue is moved from.
  6. Now visit the API https://gitlab.com/api/v4/projects/<Project_ID>/issues/<Current_Issue_ID>/resource_label_events and this will disclose all the label names too

Examples

You can see my project url here https://gitlab.com/newgroup_t/gemnasium-db/issues/9

What is the current bug behavior?

When issue is moved from private project to public project, the timeline activity of issue shows the private project path if the issue had labels applied in private project.

The Resource_label_events API also reveals the labels names too which belonged to private project.

What is the expected correct behavior?

The private project path should not be visible and label names should not be disclosed in Resource_label_events API

Output of checks

This bug happens on GitLab.com and might be on omnibus installations too!

Regards,
Ashish

Impact

  1. Private project Path is visible when issue is moved from private project to public project only when there are label events

  2. `Resource_label_events API reveals all the label names too that were applied in private project!

Edited by Jan Provaznik