Service desk email is leaked via API for all users despite any role in the private project
HackerOne report #1360744 by gratitude101 on 2021-10-06, assigned to @cmaxim:
Report
Summary
Service desk email is leaked via API for all users despite any role in a project. The documentation here says The unique internal email address is visible to project members with Maintainer (or higher) permission level in your GitLab instance but that is not the case, the email address is leaked here https://gitlab.com/api/v4/projects/[PROJECT_ID] for any user i.e., GUEST, REPORTERetc
Steps to reproduce
- Login to gitlab and create a private project and navigate to the project.
- Navigate to
Settings ->General -> Service Deskand toggleActivate Service Deskand clickSave changes - Now navigate to
Project information -> Membersand invite a user asGuest - Now login as
Guestuser and navigate toIssues -> Service Desk, the email address is not shown in the UI - Now navigate to
https://gitlab.com/api/v4/projects/[PROJECT_ID], replacePROJECT_IDwith your Project ID which you can get in the root of the project, you should see service desk email being leaked in the response.
The problem is also for public projects.
Impact
Service desk email is leaked via API for all users despite any role in the private project
What is the current bug behavior?
Service desk email is leaked via API for all users despite any role in the private project
What is the expected correct behavior?
According to the docs, the service desk email should not be leaked for any user below Maintainer role.
Output of checks
This bug happens on GitLab.com
Impact
Service desk email is leaked via API for all users despite any role in the private project despite the documentation saying the opposite
How To Reproduce
Please add reproducibility information to this section: