mirrored url visible for users despite no access to repositories

HackerOne report #708639 by ashish_r_padelkar on 2019-10-06, assigned to @ankelly:

Summary

Hello,

When the repository is mirrored from another repositories, the url of that repository is visible to users on project details page ,who doesn't have any access to repositories.

Steps to reproduce

1. As a owner in public project, set your repository to Only Project members
2. Now go to https://gitlab.com/<UserName>/<ProjectName>/-/settings/repository -->Mirroring repositories
3. Add the git url from github private project and set Mirror direction as Pull
4. Now login as non member and visit the project detail page at https://gitlab.com/<UserName>/<ProjectName> and you will see the url of the repository from which this repository is mirrored from despite no permission to see the repository.

What is the current bug behavior?

Mirrored URL visible to unauthorized users

What is the expected correct behavior?

Only users with access to gitlab repositories should see the mirrored url

Output of checks

This bug happens on GitLab.com

Regards,
Ashish

Impact

Mirrored URL can be from private github project . So, if Gitlab public project has github private project mirrored URL, unauthorized users will see the url of private project from github.

If the url is from public project of github, this gives them idea about the branch names and files in current gitlab project despite they dont see repository in gitlab .

This also happens in gitlab private project too where guest is able to see the mirrored URL.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2019-10-07_at_00.07.57.png