Private project path, milestone name and label ID visible when issue is moved to public projects
HackerOne report #704712 by ashish_r_padelkar
on 2019-10-01, assigned to @ankelly:
Summary
Hello,
When issue is moved from private project to public project, the following information from private project/group is visible in issue timeline
- Private project/group milestone
- Private project label ID
- and because of above 2, Private project path from both were applied
Steps to reproduce
- Create a private group
- Create private project under it
- Create a issue in the project
- After creating the issue, apply milestone, label and epic to this issue. Each action should create timeline activities in issue.
- Now move this issue in public project.
- Login as non member and visit this public issue now and you should see timeline activity disclosing milestone name, label ID and Private group/project path from which it was moved.
What is the current bug behavior?
Discloses private group/project path, milestone name, label ID if issue is moved from private to public project
What is the expected correct behavior?
This information should be hidden from non members
Output of checks
This bug happens on GitLab.com and might be on omnibus installations too!
Regards,
Ashish
Impact
Milestone name, label ID and private project path visible to non members when issue is moved from private to public project
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
Edited by Gabe Weaver