Service desk email is leaked via API for all users despite any role in the private project
HackerOne report #1360744 by gratitude101
on 2021-10-06, assigned to @cmaxim:
Report
Summary
Service desk email is leaked via API for all users despite any role in a project. The documentation here says The unique internal email address is visible to project members with Maintainer (or higher) permission level in your GitLab instance
but that is not the case, the email address is leaked here https://gitlab.com/api/v4/projects/[PROJECT_ID]
for any user i.e., GUEST
, REPORTER
etc
Steps to reproduce
- Login to gitlab and create a private project and navigate to the project.
- Navigate to
Settings ->General -> Service Desk
and toggleActivate Service Desk
and clickSave changes
- Now navigate to
Project information -> Members
and invite a user asGuest
- Now login as
Guest
user and navigate toIssues -> Service Desk
, the email address is not shown in the UI - Now navigate to
https://gitlab.com/api/v4/projects/[PROJECT_ID]
, replacePROJECT_ID
with your Project ID which you can get in the root of the project, you should see service desk email being leaked in the response.
The problem is also for public projects.
Impact
Service desk email is leaked via API for all users despite any role in the private project
What is the current bug behavior?
Service desk email is leaked via API for all users despite any role in the private project
What is the expected correct behavior?
According to the docs, the service desk email should not be leaked for any user below Maintainer
role.
Output of checks
This bug happens on GitLab.com
Impact
Service desk email is leaked via API for all users despite any role in the private project despite the documentation saying the opposite
How To Reproduce
Please add reproducibility information to this section: