Expose Private Group's Membership in autocomplete endpoint

HackerOne report #425579 by ngalog on 2018-10-19:

Summary: The impact is exactly the same as #424465 (closed):

When you visit a public project member page, you will be able to see the normal members there, if the public project was shared with a private group, that private group is hidden from the web UI, since you are not authorised to reach that private group. However there is an autocomplete endpoint disclosing all member including the private group member in that endpoint

Steps To Reproduce:

Visit https://gitlab.com/golduserngalog/gitlabexporta/project_members, you should be able to see two members in this group only, but in fact I have shared this project with a private group with namespace privategroupwithprivatemember
However when you visit https://gitlab.com/golduserngalog/gitlabexporta/autocomplete_sources/members?type=Issue&type_id=2, you will see two more members in the response, thus leaking the membership of the group privategroupwithprivatemember

Impact

This allow unauthorized user to view the membership of private group

Expose Private Group's Membership in autocomplete endpoint

Edited Nov 07, 2019 by GitLab SecurityBot