Issue system notes reveals private project path when it is closed view merge request and moved to a public project
HackerOne report #724880 by ashish_r_padelkar on 2019-10-29, assigned to @jbroullon:
Summary
Hello,
When issue is closed via merge request, the associated merge request ID or commit ID is visible via issue system notes to guest users. The same system note reveals full project path too when this issue is moved to public projects.
Steps to reproduce
- Create a issue in private project
- Create a merge request for the same.
- Merge the merge request so that issue is closed.
- A system note in issue is created saying
closed via merge requestorclosed via commit
OR
5. Same is visible to Guest users in issue(go to issue details) system notes which shouldnt be possible.
6. Now move this issue to public project and the same system notes reveals the full private project path from which this issue is moved from.
What is the current bug behavior?
Issue system notes reveals merge request ID or commit ID, may also reveal full project path when its moved
What is the expected correct behavior?
None of the information related to merge request or commits should be visible
Output of checks
This bug happens on GitLab.com and might be on omnibus installations too. This is verified on Gitlab.com at the time of writing the report.
Regards,
Ashish
Impact
Merge request ID, Commit ID and Project Path visible when issue is closed via merge requests
Attachments
Warning: Attachments received through HackerOne, please exercise caution!