Users can see number of open merge requests/issue `counts` from public project despite no permissions

HackerOne report #692199 by ashish_r_padelkar on 2019-09-11, assigned to akelly:

Summary

Hello,

When public projects issues and merge requests are set as Only Project Members , none of its information should be publicly visible.
However, anyone can see the open merge requests and issue counts of such projects using user profile who have contributed to such projects.

Steps to reproduce

1. Set a user profile at https://gitlab.com/profile as public

2. Create a public project with issue and merge requests as Only project members
3. Contribute to this project so that it appears on your profile at https://gitlab.com/users/<UserName>/contributed
4. Login as non member who cant see issues/merge requests from the public project.
5. Navigate to the user who contributed to that project https://gitlab.com/users/<UserName>/contributed
6. You will see number of Open merge requests and Open public issue counts from that project which is otherwise not visible.

What is the current bug behavior?

Able to see number of open merge requests and issue counts from public projects which are restricted.

What is the expected correct behavior?

None of the info should be visible when issue and merge requests are accessible only to members

Output of checks

This bug happens on GitLab.com and might be on omnibus installations!

Regards,
Ashish

Impact

Information disclosure of open merge request counts and public issue counts from public projects when issues and merge requests are restricted to project members only.

This is also possible in private projects where guest is able to see open merge requests counts which is not possible otherwise

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2019-09-11_at_13.13.02.png
• Screenshot_2019-09-11_at_13.17.34.png