Email participants from issues are visible to unauthenticated users
HackerOne report #2456229 by ashish_r_padelkar
on 2024-04-09, assigned to @cmaxim:
Report | Attachments | How To Reproduce
Report
Summary
Hello,
As per this https://gitlab.com/gitlab-org/gitlab/-/issues/383448
& https://gitlab.com/gitlab-org/gitlab/-/issues/383448
, issue email participants are hidden/obfuscated on issues for members without proper access and issue is closed/resolved as per gitlab.
However, the system notes created on issue still discloses the email addresses of participants to everyone whoever can see the issues.
Steps to reproduce
1.On your instance enable the feature flag issue_email_participants
to enable objectives and key results in rail console. (Follow this to enable feature flags https://docs.gitlab.com/ee/administration/feature_flags.html#how-to-enable-and-disable-features-behind-flags
).
2.Once enabled, create an issue in your public project.
3.In comments invite email participants using quick action /invite_email ashish_r_padelkar@wearehackerone.com
.
4.Now as any unauthenticated user, visit the issue and you should see invited email in system notes activities although it is obscured below comment box for authenticated users.
This is what logged in user can see
Unauthenticated users see the systems notes which discloses the email address.
What is the current bug behavior?
Email participants from issues are visible to unauthenticated users
What is the expected correct behavior?
Email participants from issues should not be visible for unauthenticated users
Output of checks
This bug happens on GitLab EE 16.9+
Regards,
Ashish
Impact
Email participants from issues are visible to unauthenticated users
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: