Private project path (forked) & branch visible in merge requests
HackerOne report #724895 by ashish_r_padelkar on 2019-10-29, assigned to @ankelly:
Summary
Hello,
When public project is forked by private project, the private project can request to merge into public project merge request. In such merge requests the project path and branch name of private forked projects publicly visible in request to merge sections.
The project path is continues to be visible even when forked relationship is removed and then updated paths are visible too.
Steps to reproduce
- Create a public project
- Fork it in private project
- Create a merge request from private to public project
- Now login as non member and visit the above merge request. You should see the path of the private forked project publicly along with the name in
Request to mergesection of merge request.
- Now remove the fork relationship from private project and update the path of the private project
- Again visit the same merge request and you should see the updated name too!
What is the current bug behavior?
Shows the private forked project path and branch name publicly in merge requests.
What is the expected correct behavior?
If forked project is private, none of its information should be visible publicly.
Output of checks
This bug happens on GitLab.com and might be on omnibus installations too!
Regards,
Ashish
Impact
Private project path and branch name visible in merge requests publicly if project is forked in private projects
Attachments
Warning: Attachments received through HackerOne, please exercise caution!