Service desk email address of a project is being leaked through graphql to non-members of the project even If a custom suffix is set for the same. (#349881) · Issues · GitLab.org / GitLab

Service desk email address of a project is being leaked through graphql to non-members of the project even If a custom suffix is set for the same.

**[HackerOne report #1439254](https://hackerone.com/reports/1439254)** by `albatraoz` on 2022-01-02, assigned to @cmaxim: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report ##### Summary I've [reported](https://hackerone.com/reports/1330273) this vulnerability previously too but closed it as N/A myself as the service desk email address is guessable If we have a project name. But this time I saw some activity on gitlab [issues](https://gitlab.com/gitlab-org/gitlab/-/issues/345692) about the visibility & it has been changed to [reporter](https://docs.gitlab.com/ee/user/project/service_desk.html) & also If any project owner decides to add suffix to their service desk email address to defend the spam, that too would be exposed through graphql. ##### Steps to reproduce 1. Visit https://gitlab.com/-/graphql-explorer 2. Put the following graphql query and hit play ``` query{ project(fullPath:"gitlab-org/gitlab") { id serviceDeskAddress } } ``` You will see the internal service desk email of the project in the response. ``` { "data": { "project": { "id": "gid://gitlab/Project/278964", "serviceDeskAddress": "contact-project+gitlab-org-gitlab-278964-issue-[@]incoming.gitlab.com" } } } ``` ##### What is the current *bug* behavior? Service desk email address is visible to non members of a project. ##### What is the expected *correct* behavior? Service desk email address should be visible only to members of a project with minium reporter level access. ##### Relevant logs and/or screenshots ![GraphiQL.png](https://h1.sec.gitlab.net/a/db693778-ef3c-45bb-ad28-0ae47d2d51ec/GraphiQL.png) ##### Issue references https://gitlab.com/gitlab-org/gitlab/-/issues/345692 https://gitlab.com/gitlab-org/gitlab/-/merge_requests/74179 ##### Impact reference https://gitlab.com/gitlab-org/gitlab/-/issues/329446#note_563640175 #### Impact Even though the service desk email address is guessable If we have the project name, If the owner decides to add a secret suffix only visible & shared with project members, the email address would be leaked to non members through graphql. This can lead to issue spam or vandalism of a project. ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [GraphiQL.png](https://h1.sec.gitlab.net/a/db693778-ef3c-45bb-ad28-0ae47d2d51ec/GraphiQL.png) ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues

issue