Guest users in private projects can see TAG names of releases.

HackerOne report #744750 by ashish_r_padelkar on 2019-11-22, assigned to @cmaxim:

Summary

Hello,

As per documentation here https://gitlab.com/help/user/permissions , Guest users can access Release pages for downloading assets but are not allowed to download the source code nor see repository information such as tags and commits..

But when i go to EDIT page of release, it says Releases are based on Git tags .

The release API https://gitlab.com/api/v4/projects/15203433/releases gives response with edit_url parameters which discloses the TAG names in URL.

This probably happened because of recent changes. I am not sure though if thats the case but this URL is not required to be shown to guest users as they dont have ability to EDIT it anyways. By having that parameter for guest users gives them TAG names associated with releases which is contradicting the documentation.

Steps to reproduce

1. In private project create a release.
2. Login as guest user in private project. If you go to release page, UI doesnt load
3. Now go to https://gitlab.com/api/v4/projects/<ID>/releases which will give you response with edit_url which contains the TAG name in URL.

What is the current bug behavior?

Tag name disclosure to guest users in private projects through release API

What is the expected correct behavior?

In my opinion, releases shouldnt be visible to guest users at all as they dont have any access to repositories. Not sure if the feature is going in this direction but looks like UI doesnt load release page for guest users now. However, releases API still works which reveals TAG names through edit_url parameter.

Output of checks

This bug happens on GitLab.com and might be on omnibus installations too!

Regards,
Ashish

Impact

Guest users are able to see TAG names of releases which is against documentation