Release names visible in public projects despite release set as project members only
HackerOne report #1725841 by ashish_r_padelkar
on 2022-10-07, assigned to @cmaxim:
Report | Attachments | How To Reproduce
Report
Summary
Hello,
Release can be restricted for Only Project Members
in project settings. This should ensure that no release information is visible outside team members.
However, anyone can see release names in public projects through tags page at https://gitlab.com/<NameSpace>/<ProjectName>/-/tags
even when releases are set as project members only.
Steps to reproduce
1.As a project owner, set your project as public with Releases
as Only Project Members
at https://gitlab.com/<NameSpace>/<ProjectName>/edit#js-general-project-settings
.
2.Now create a Release at https://gitlab.com/<NameSpace>/<ProjectName>/-/releases
.
3.Access the https://gitlab.com/<NameSpace>/<ProjectName>/-/releases
without authentication but you will get 404 as Release is only visible for Team members.
4.Now access tag page at https://gitlab.com/<NameSpace>/<ProjectName>/-/tags
and you should see Release associated with the tags like below.
5.As repository is public, you are able to see tag page and tag page discloses the release names. This requires proper permission check.
Examples
You can see https://gitlab.com/groupnew321/projectbugs/-/tags
release name visible for tag. Clicking on release will give you 404 page.
What is the current bug behavior?
Release names are disclosed in tag names despite release set as project members only.
What is the expected correct behavior?
Release names should not be visible for unauthenticated users when they are set as only project members
Output of checks
This bug happens on GitLab.com
Regards,
Ashish
Impact
Release names visible in public projects despite release set as project members only
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
Proposal
Add the proper permission check to the tag partial which is rendered server side.