Number of merge requests associated with milestones are visible from private projects
HackerOne report #675427 by ashish_r_padelkar
on 2019-08-17, assigned to estrike
:
Summary
Hello,
I reported this before here at #529951 in a comment but looks like it was missed from your side to fix it and i also forgot to test it again as it was a comment. The main issue reported was fixed but not this one.
So basically, When merge requests are associated with Milestones, the counts with their statuses are visible publicly when
-
Private project is inside the public group -when project merge requests are associated with public group milestones.
-
Merge requests are set as
Only Project Members
in public projects when associated with milestones.
Steps to reproduce
- Create a public project with Repository set as
Only Project Members
- Create a merge request inside it and associate it with a milestone for eg
Milestone1
- Login as different user. This user wont see the merge requests as user is not a member.
- But he can see the milestone as issues are visible. So user can go to milestone page
/thisispublicproject/-/milestones/<ID of Milestone1>
and can see the number of merge requests associated with this milestone in right side bar
Same thing happens when public group contains private project and the merge requests are associated with group milestones!
What is the current bug behavior?
Able to see number of merge requests along with their status when associated with milestones.
What is the expected correct behavior?
Merge requests information should not be visible publicly when they are not allowed to.
Output of checks
This bug happens on GitLab.com and must be on omnibus installations too!
Regards,
Ashish
Impact
When merge requests are associated with Milestones, the counts with their statuses are visible publicly when
-
Private project is inside the public group -when project merge requests are associated with public
group milestones
. -
Merge requests are set as
Only Project Members
in public projects when associated with milestones.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!