Group dashboard reveals number of projects and subgroups

HackerOne report #447804 by ashish_r_padelkar on 2018-11-20:

Summary:

If a private group has multiple projects, and user has access to only one project from it, they can still know number of projects within a group and number of subgroups (at root level)

Description:

When private Group has multiple projects and user has guest access to only one project within a group, they can still see how many projects and subgroups(root level) this group has. Note that, these are just counts they can see.

https://gitlab.com/dashboard/groups

The above shows, group has 0 sub groups at root level , 2 projects where as user has access to only one from it.

Regards, Ashish

Impact

Group dashboard reveals the number of projects and subgroups

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Screenshot_2018-11-21_at_00.49.51.png
Screenshot_2018-11-21_at_00.46.27.png
Screenshot_2018-11-21_at_00.46.01.png

Edited Nov 30, 2018 by Dennis Appelt