Number of private subgroups/projects is displayed in groups view

HackerOne report #712299 by xanbanx on 2019-10-11, assigned to @jeremymatos:

Hi GitLab Security Team,

Summary

GitLab allows to create public groups with public subgroups. Within that subgroups, one can create private groups or private projects.
The top-level view of the parent group shows a list of publicly available resources (projects,subgroups).
For subgroups however, GitLab displays the number of private resources (groups, projects), although the visiting user does not have access to that private groups/projects, thus leaking information.

Steps to reproduce

1. Create a public group and within that public group another subgroup
2. Within the subgroup, create some private sub-groups and some private projects
3. As an unauthenticated users, visit the top-level group's detail page via https://example.gitlab.com/groups/

You can see some private subgroup details like

• the number of private subgroups
• the number of private projects

Impact

Unauthorized users see the number of private subgroups, projects, and members.

Examples

As an unauthenticated user, goto https://gitlab.com/my-top-level-group

On the right side, you see the subgroup public-group has one private subgroup and two private projects.

What is the current bug behavior?

Unauthorized users can see private statistics.

What is the expected correct behavior?

Only show the relevant statistics (number of groups, projects) if the user has access to these underlying entities.

Output of checks

This bug happens on GitLab.com

Best regards,
Xanbanx

Impact

See above.