Shared group details are exposed in project api for member without privilege
Summary
A Gitlab project can be shared with groups. The information of which groups have access to this project is not supposed to be exposed to members of the project without enough privilege level. This information should only be shared with project member with at least Maintainer privilege. This behavior is correctly seen from web UI. At the same time, this information is leaked through API call. Project member who has Developer, Reporter role can query a project through API and see the groups who the project is shared with.
Steps to reproduce
- Create a project TP1 (say project id is 11992)
- Create a test group TG1 with at least one member
- Add one test user TU1 for the project with Reporter privilege
- Share the project with the test group TG1
- Impersonate test user TU1
- Query the API https://gitlaburl/api/v4/projects/11992
- Notice the shared_with_group information is exposed
What is the current bug behavior?
Exposes shared_with_group
object in JSON response for a non-privileged member of the project
What is the expected correct behavior?
Should not see shared_with_group
object in JSON response for a non-privileged member of the project
Possible fixes
https://gitlab.com/gitlab-org/gitlab/blob/master/lib/api/entities.rb#L304
expose :shared_with_groups do |project, options|
SharedGroup.represent(project.project_group_links, options)
end
should be
expose :shared_with_groups, if: lambda { |project, options| options[:user_can_admin_project] } do |project, options|
SharedGroup.represent(project.project_group_links, options)
end