Merge request titles visible publicly despite being set as project members only
HackerOne report #2357370 by ashish_r_padelkar
on 2024-02-07, assigned to @ottilia_westerlund:
Report | Attachments | How To Reproduce
Report
Summary
Hello,
It is possible for anyone to see Merge Request
titles despite setting it as only project members visibility.
Steps to reproduce
1.Create a public project.
2.Set the repository as Everyone with access
but set merge requests as Only Project Members
.
3.Create a new branch at https://gitlab.com/<NameSpace>/<ProjectName>/-/branches
and then merge request using that branch.
4.Now visit the URL without login in https://gitlab.com/<NameSpace>/<ProjectName>/-/branches
and hover over the merge request icon like below.
5.You will see merge request title.
Examples
You can see my test poc here https://gitlab.com/groupjan2024/Janproject/-/branches
where i have set merge request visibility to only project members yet you see the titles.
What is the current bug behavior?
Merge request titles visible publicly despite being set as project members only
What is the expected correct behavior?
Only project members should see the merge request titles
Output of checks
This bug happens on GitLab.com
Regards,
Ashish
Impact
Merge request titles visible publicly despite being set as project members only
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: