ESCALATED: Contribution Analytics of Internal Projects leaked to External Users

HackerOne report #731423 by xanbanx on 2019-11-07, assigned to @jeremymatos:

Hi GitLab Security Team,

Summary

GitLab allows to have external users. Those users only have access to public data and projects which they have explicit access. They don't have general access to internal projects.

However, if a public group has internal projects, external users can go to the contribution analytics page and see all the activity of the internal projects.

Steps to reproduce

Tested on a local installation of GitLab Enterprise 12.5.0pre b633727c

  1. Create a public group and inside an internal project
  2. On the internal project, create issues, MRs, push some code
  3. As an external user, visit the public group's contribution analytics page and see all the activity of the internal project.

Impact

External suers have access to the contribution analytics of internal projects

What is the current bug behavior?

External users can see the contribution analytics of projects they don't have access to.

What is the expected correct behavior?

External users without access to internal projects should not see the contribution analytics of projects they don't have access to.

Results of GitLab environment info

System information  
System:         Ubuntu 18.04  
Proxy:          no  
Current User:   git  
Using RVM:      no  
Ruby Version:   2.6.3p62  
Gem Version:    2.7.9  
Bundler Version:1.17.3  
Rake Version:   12.3.3  
Redis Version:  3.2.12  
Git Version:    2.22.0  
Sidekiq Version:5.2.7  
Go Version:     unknown

GitLab information  
Version:        12.5.0-pre  
Revision:       b633727c47d  
Directory:      /opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:     PostgreSQL  
DB Version:     10.9  
URL:            https://example.gitlab.com  
HTTP Clone URL: https://example.gitlab.com/some-group/some-project.git  
SSH Clone URL:  git@example.gitlab.com:some-group/some-project.git  
Elasticsearch:  no  
Geo:            no  
Using LDAP:     no  
Using Omniauth: yes  
Omniauth Providers: 

GitLab Shell  
Version:        10.2.0  
Repository storage paths:  
- default:      /var/opt/gitlab/git-data/repositories  
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell  
Git:            /opt/gitlab/embedded/bin/git

Best regards,
Xanbanx

Impact

See above.

Edited by GitLab SecurityBot