No security warning when you submit MR from project with restricted repository visibility
HackerOne report #2015919 by shells3c
on 2023-06-07, assigned to GitLab Team
:
Report | Attachments | How To Reproduce
Report
Summary
Follow up #1851858
[@]ameya_gitlab told me to submit this report and he would triage it. Hi [@]ameya_gitlab!
Steps to reproduce
- Create a public project
- Using another account, fork the project, set the fork's repository visibility to Only Project Members.
- Make a commit to the fork
- Create a merge request to the parent fork, and while creating it, you won't see any warning like this:
Which might make users unaware of security risks that they don't know.
With #1851858 not being fixed, I also suggest updating the error message to warn users that their code is going to be exposed to EVERYONE, in case they think that their MRs are only going to be exposed to the project members because Merge Requests visibility has been set to Only Project Members
Impact
Disclosure of private code by accident
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: