Private merge request titles leaked to unauthorized users via pipeline widget

HackerOne report #717675 by xanbanx on 2019-10-18, assigned to @jeremymatos:

Hi GitLab Security Team,

Summary

GitLab recently added a feature to render the related merge requests on the pipelines view.
Here, GitLab is missing proper access control and always shows the related merge requests regardless if the visiting user has access to merge requests. In particular, the title of the merge requests are leaked to anyone who can visit pipelines but not the merge request. This leak can happen in two cases: First, in restricted public repos (merge requests are restricted) and for guest users in private projects. Guest users do not have access to the repository and to merge requests.

Steps to reproduce

Tested on GitLab Enterprise Edition 12.3.0-pre 0e052976 (Canary)

  1. Create a public project and restrict merge requests to project members only
  2. Enable GitLab CI, push some code, and create a merge request
  3. As an unauthenticated user, goto https://gitlab.com/<namespace>/<project>/pipelines/<pipeline-id> to view the pipeline. In the commit widget, the title of the related merge request is shown although the user does not have access to merge requests.

The same happens to for guest users of private projects

  1. Create a private project, push some code, and create a merge request
  2. Add a guest user to the project
  3. As the guest user, visit the pipeline in the frontend via https://gitlab.com/<namespace>/<project>/pipelines/<pipeline-id>. Again, the title of the merge request is leaked to the guest user, who does not have access to the repository and merge requests.

Impact

Unauthorized users without access to merge requests can read the merge request titles showing on pipelines. Seems to have a similar impact as #435093 (closed)

Examples

As an unauthenticated user, goto https://gitlab.com/wter23/test-mr-leak/pipelines/89855619 (Canary enabled). Here, you see the title of the related merge requests being leaked although you don't have access to the merge request.

What is the current bug behavior?

Users without access to merge requests can read the merge request title on the pipeline view.

What is the expected correct behavior?

The related merge request is not rendered if the visiting user does not have access to merge requests.
When looking into the code, it seems the PipelinePresenter#all_related_merge_requests in https://gitlab.com/gitlab-org/gitlab/blob/master/app%2Fpresenters%2Fci%2Fpipeline_presenter.rb#L128 returns merge requests although the user might not have access to merge requests.

Output of checks

This bug happens on GitLab.com

Best regards,
Xanbanx

Impact

See above.