Non member can view unresolved threads marked as internal notes

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2705909 by salh4ckr on 2024-09-07, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

Hello,
When user starts a unresolved thread on merge request it is possible to be visible for project members with at least Reporter access. but i found that on public project iti is possible non member to view unresolved threads via url.

Steps to reproduce

As Owner

1. Create public group A and create public project A in that group
2. Create Merge request 1 in project A
3. Start unresolved thread in merge request

As Attacker

1. Go to project A and click merge request 1
2. Here you can see that unresolved threads are not visible for you.
3. Now go to https://gitlab.com/groupA/projectA/-/issues/new?merge_request_to_resolve_discussions_of=1

replace group A and project A with you group and project name, also change 1 with your mr id

Video POC
thrds_poc.mp4

Impact

Non member (Attacker) can view unresolved threads marked as internal notes, which is intended to be visible to only members with atleast reporter access

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• thrds_poc.mp4
• 1.png
• 2.png

How To Reproduce

Please add reproducibility information to this section: