Guests can see number of commits in Cycle Analytics
HackerOne report #603797 by ashish_r_padelkar on 2019-06-08, assigned to jmatos_bgtvf:
Summary
Hello,
Very low severity issue where guests can see number of commits in a project which they shouldn't.
Steps to reproduce
Login as a guest in private project and navigate to Cycle Analytics and look at the numbers in commits column of Recent Project Activity
Impact
Guests are not allowed to see repository menu in private projects hence they shouldn't see the information related to commits. However, they can see the number of commits that took place in project for last 90 days using cycle analytics!
What is the current bug behavior?
Guest in private project are allowed to see number of commits that took place in last 90 days
This also works for public project where repository is set as Only Project Members yet anybody can see the number of commits
What is the expected correct behavior?
This information related to commits shouldn't be visible to anyone
Output of checks
This bug happens on GitLab.com and should also happen on omnibus installations too!
Regards,
Ashish
Impact
As mentioned above, guest in private project can see these numbers and also any logged in user in public project even when repository settings are set as Only Project Members
Attachments
Warning: Attachments received through HackerOne, please exercise caution!