Users can see Security report of public projects

Issue as reported from HackerOne **HackerOne report #459034** by ashish_r_padelkar on 2018-12-08:

Summary: Hello,

As per documentation here https://gitlab.com/help/user/permissions, Guest and Reporters are not allowed to see project Security Dashboard.

This report also appears on default branch pipeline security tab at /pipelines/<PipelineId>/security

Description:

This works perfectly for private projects. Security dashboard as well as pipeline security report is not visible for guests

However, for public project this isn't the case. The security dashboard is not accessible but pipeline security report is visible to everyone which i believe is the same information? So this should not be visible for everyone for public projects too

Steps To Reproduce:

  1. As any user try to access security dashboard /security/dashboard of public project and you will get access denied 403

  2. Now go to any successful pipeline of default branch and click on security tab /pipelines/<PipelineId>/security and all the information is displayed!

Regards, Ashish

Impact

Security report is visible for public projects!

Summary

When a public project has Settings > CI/CD > Public Pipeline unchecked, /pipelines/:id/security is still accessible to any user.

Steps to reproduce

  1. In a public project, set Settings > General > Project Visibility > Pipelines to Everyone with access.
  2. In the same project, set Settings > CI/CD > Public Pipelines as unchecked.
  3. Navigate to /pipelines/:pipeline_id/security.

Note: pipelines can be made public/private in two different settings. You should follow the steps above to isolate the behavior for the setting with the bug.

What is the current bug behavior?

The pipeline security report is visible.

What is the expected correct behavior?

The pipeline security report should respond with 404. This should match the behavior from when the pipelines visibility setting is controlled by Settings > General > Project Visibility.

Relevant logs and/or screenshots

Setting Screenshots

Resolution

Fix bug and update documentation

Edited by Paula Burke