Non member can view unresolved threads marked as internal notes
HackerOne report #2705909 by salh4ckr on 2024-09-07, assigned to GitLab Team:
Report | Attachments | How To Reproduce
Report
Summary
Hello,
When user starts a unresolved thread on merge request it is possible to be visible for project members with at least Reporter access. but i found that on public project iti is possible non member to view unresolved threads via url.
Steps to reproduce
As Owner
- Create public group A and create public project A in that group
- Create Merge request 1 in project A
- Start unresolved thread in merge request
As Attacker
- Go to project A and click merge request 1
- Here you can see that unresolved threads are not visible for you.
- Now go to https://gitlab.com/groupA/projectA/-/issues/new?merge_request_to_resolve_discussions_of=1
replace group A and project A with you group and project name, also change 1 with your mr id
Video POC
Impact
Non member (Attacker) can view unresolved threads marked as internal notes, which is intended to be visible to only members with atleast reporter access
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section:

