Leak of confidential issues

HackerOne report #742791 by ajriverav on 2019-11-20, assigned to @jeremymatos:

NOTE! Thanks for submitting a report! Please replace all the (parenthesized) sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!

Summary

Gitlab's UI incorrectly reports that a confidential issue is MOVED, where in reality it is COPIED and then CLOSED, giving unauthorized users access to the confidential issue.

Steps to reproduce

  1. Owner creates Repo Operations, and adds two members, Guest and Reporter #1 (closed).
  2. Reporter #1 (closed) creates a confidential issue in Repo Operations, which only Reporter #1 (closed) and Owner can see.
  3. Reporter #1 (closed) creates a 2nd confidential issue in Repo Operations, which only Reporter #1 (closed) and Owner can see.
  4. Owner creates Repo OperationsConfidential and adds Reporter #1 (closed).
  5. Reporter #1 (closed) closes confidential issue #1 (closed).
  6. Reporter #1 (closed) moves the closed confidential issue #1 (closed) to Repo OperationsConfidential.
  7. Reporter #1 (closed) moves confidential issue #2 (closed) to Repo OperationsConfidential.
  8. For the Repo Operations, Owner promotes Guest to Reporter #2 (closed) (a second one since we already had Reporter #1 (closed)).
  9. Now, in Repo Operations, Reporter #2 (closed) can see confidential issue #1 (closed) and #2 (closed) (because they WERE NEVER MOVED, as Gitlab's UI indicated. To me, this is wrong. Owner is unknowingly leaking confidential info to Reporter #2 (closed) although Gitlab makes one think Reporter #2 (closed) will not be able to see them because the issues were MOVED.

Impact

Leakage of confidential issues.

Examples

I noticed this bug when I needed to promote a Guest-level user to Reporter because I wanted the user to be able to change tags. In doing so, I realized I inadvertently exposed confidential issues that HAD SUPPOSEDLY BEEN "MOVED" to another repo.

What is the current bug behavior?

Not needed.

What is the expected correct behavior?

To actually MOVE the issue.

Relevant logs and/or screenshots

Not needed.

Output of checks

Not needed.

Results of GitLab environment info

Not needed.

Impact

In this example, the owner who promoted the guest-level user to reporter-level user will leak confidential issues.