Get activity counts of issue/merge events despite setting Only Project members for Public projects

HackerOne report #577244 by ashish_r_padelkar on 2019-05-11, assigned to estrike:

Summary

Hello,

It is possible for any non members to get activity counts of issue/merge events of public project which has below settings.

Screenshot_2019-05-11_at_14.29.54.png

The non member user see the following option
Screenshot_2019-05-11_at_14.30.08.png

They can not see activity events such as issue/merge events etc . However, It is possible for them to get the counts of such events!

Steps to reproduce

  1. As a owner of public project, set the issue and repository as Only Project Members
  2. Login as any user and visit this public project. You will see only 2 options, All & Team.
  3. Click on any of them and look at the request in burp.
GET /gitlabadminrsspl1111/thisispublicproject/activity?limit=20&offset=0 HTTP/1.1  
Host: gitlab.com  
Connection: close  
Accept: application/json, text/plain, */*  
X-CSRF-Token: 1  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36  
Referer: https://gitlab.com/gitlabadminrsspl1111/thisispublicproject  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: issue_board_welcome_hidden=true; promote_burndown_charts_dismissed=true; cycle_analytics_help_dismissed=1; _ga=GA1.2.922314095.1537686075; _mkto_trk=id:194-VVC-221&token:_mch-gitlab.com-1537686075533-44677; pipeline_schedules_callout_dismissed=true; _biz_uid=18351712817945caaf2f1d99e4ae1589; auto_devops_settings_dismissed=true; _biz_flagsA=%7B%22Version%22%3A1%2C%22XDomain%22%3A%221%22%2C%22Mkto%22%3A%221%22%2C%22Frm%22%3A%221%22%7D; _fbp=fb.1.1549094360636.1901280804; sidebar_collapsed=false; frequently_used_emojis=thumbsup%2Cart%2Cbasketball%2Cthumbsdown%2Cbicyclist_tone3%2Cbaseball; _sp_id.6b85=1-c31c-4026-821a-1-06a8-492f-b0f0-9929021a8ee4; _gid=GA1.2.973204736.1557559750; _gitlab_session=1; _biz_sid=10f6f3; _biz_nA=1113; _biz_pendingA=%5B%5D; event_filter=team  
If-None-Match: W/"1"

  1. If you see the Cookie header in above request, there is a parameter named event_filter . This is responsible for getting these events.

  2. Now to get issue or merge events, simply send this to burp repeater and change the value of event_filter to issue or merged.

  3. In response, you will get something like {"html":"\n","count":3} for say merged. This means 3 merged event took place in this project!.

  4. If you get count as {"html":"\n","count":20} , then increase the offset from above request by multiple of 10 till you get count <20 and then add all the counts which will give you total events for that particular action!

Examples POC

Use my project here at https://gitlab.com/gitlabadminrsspl1111/thisispublicproject to reproduce. you will see that 3 merged events although you cant see merge requests!

What is the current bug behavior?

Able to see activity counts of actions despite only project members settings in public projects

What is the expected correct behavior?

This count shouldn't be visible publicly when settings are applied

Output of checks

This bug happens on GitLab.com and might be on omnibus installations too!

Regards,
Ashish

Impact

Issue/merge activity events counts visible despite only project members settings in public projects

Attachments

Warning: Attachments received through HackerOne, please exercise caution!