IP Restriction Bypass Through REST API

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #3037722 by rogerace on 2025-03-14, assigned to @danielhauenstein:

Report | How To Reproduce

Report

Summary

Users can still see issues assigned to them from IP restricted group using REST API.

==I am aware that even after IP restriction, users may still see some issues on their dashboard.== So I have checked to make sure that users cannot see these issues on dashboard, but these issues can be leaked through API.

Steps to reproduce

1. Go to any group, using owner account, create an issue for a project in that group, and assign it to the attacker account (who should also be a member of the group).
2. Go to attacker account, check the dashboard, and you will see you cannot see any info about the issue created in step 1.
3. Go to settings, and restrict IP access to 1.1.1.1, effectively blocking everyone from accessing the group.
4. Issue the following request curl --header "PRIVATE-TOKEN: YOUR_TOKEN" --url "https://gitlab.com/api/v4/issues?scope=assigned_to_me"

Voila! You saw the issue.

Impact

Low in confidentiality.

How To Reproduce

Please add reproducibility information to this section:

1. Go to any group, using owner account, create an issue for a project in that group, and assign it to the attacker account (who should also be a member of the group).
2. Go to attacker account, check the dashboard, and you will see you cannot see any info about the issue created in step 1.
3. Go to settings, and restrict IP access to 1.1.1.1, effectively blocking everyone from accessing the group.
4. Issue the following request curl --header "PRIVATE-TOKEN: YOUR_TOKEN" --url "https://gitlab.com/api/v4/issues?scope=assigned_to_me"