Attachments to confidential issues and epics in public projects are accessible without authentication

Problem Statement

Currently, in GitLab, confidential issues, epics, and merge requests require authentication for users to view their content. However, non-image attachments associated with these confidential items are not protected in the same way. This can lead to sensitive information being unintentionally exposed, which can create security risks for organizations.

Problem to solve

As a group/project member, I want non-image attachments in confidential issues, epics, and merge requests to require authentication, so I can ensure sensitive information is protected and only accessible to authorized users.

Intended users

• Cameron (Compliance Manager)
• Sam (Security Analyst)
• Alex (Security Operations Engineer)

User experience goal

The user should be able to rely on GitLab to protect sensitive information by ensuring that attachments in confidential issues, epics, and merge requests require authentication for access.

Proposal

Require authentication to access or view attachments in confidential issues, epics, and merge requests, similar to how viewing the content of these items requires authentication. This will ensure that only authorized users can access attachments in confidential items.

Further details

This feature would reduce the risk of unintentional exposure and provide organizations with better security controls when files containing sensitive or personal information are uploaded to issues, epics, or merge requests.

Permissions and Security

The expected impact would be to unauthenticated individuals and users who aren't a member of the project: no longer able to access file attachments uploaded to confidential issues, epics, MRs.

Members a group able to view the content of a confidential issue, epic, or merge request would still be able to view the contents of files uploaded to that confidential issue, epic, or merge request.

Documentation

https://docs.gitlab.com/ee/security/user_file_uploads.html

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.