Forked Project's Information is Still Being Disclosed in Project API after being changed to Private

HackerOne report #575814 by ngalog on 2019-05-10, assigned to asaba:

Summary

In Github, once the repo goes private, all the fork relationship they had before will be erased, this is for privacy reason because once the project go private, no related info should be disclosed.

However in Gitlab, even the project goes private, the previously forked repo can still get the private project's info, i.e. the fork relationship persists. Thus disclosing info of the private project.

Steps to reproduce

• Create a new project say the name is foo project as user A
• User B fork foo project, and now user B's forked project is bar project
• User A set the permission of the project to private in https://gitlab.com/PROJECT_PATH/edit
• User B should not be able to view https://gitlab.com/PROJECT_PATH/ anymore, which is good
• However User B can still somehow spy on foo project by visiting the link https://gitlab.com/api/v4/projects/ID_OF_BAR_PROJECT, and the value of fork_from_project will be the info of foo project

Impact

Keep on spying on private project if it was public before

What is the current bug behavior?

Allow user to keep on spying on private project if it was public before

What is the expected correct behavior?

All fork relationship should be detached after public project goes private

Relevant logs and/or screenshots

Impact

Keep on spying on private project if it was public before

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• anotherpoc2.PNGe