New project path disclosure through unsubscribe link of issue/merge requests

HackerOne report #650574 by ashish_r_padelkar on 2019-07-19, assigned to akelly:

Summary

Hello,

When a user is subscribed to any issue/merge request from public project, they get an email with unsubscribe link.

The problem with this link is, it discloses the new path of the project if project goes from public to private when user later navigates to the unsubscribe url.

Steps to reproduce

1. Subscribe to any public project issue/merge request.
2. Let anyone comment on the issue or merge request so that you receive an email.
3. Owner Now makes the project private.
4. Owner Changes the path of the project.
5. Now visit the unsubscribe link from email. It will navigate to new project path automatically.

What is the current bug behavior?

Discloses the new project path url if project goes from public to private

What is the expected correct behavior?

New project path should not be visible

Output of checks

This bug happens on GitLab.com and might be on omnibus installations too!

Regards,
Ashish

Impact

Discloses new project path when project becomes private.