Public list of private project members

HO: 128051
zd: https://gitlab.zendesk.com/agent/tickets/18960

Description

A list of members for a private project is accessible to users not belonging to that project.

Reproducing

Most is copied over from HackerOne as they are good quality reports

The following steps require that you're signed in as a user that can create a new project. When someone imports project members from another project, the following code is executed:

# app/controllers/projects/project_members_controller.rb:96
def apply_import
  giver = Project.find(params[:source_project_id])

  # ...

  redirect_to(namespace_project_project_members_path(project.namespace, project),
                notice: notice)
end

When an attacker would specify a source_project_id that references a private project, it would copy the members of that project and it would add them to your own project. This way, you can check out who has access to which project. This information could be helpful in other attacks and/or could be used for social engineering since the email address of those people are public too.

The fix of this issue depends on if you want to allow projects to be imported the user has access to or only within the team scope.

---

/cc @DouweM

Reassigned to @grzesiek

Milestone changed to 8.6

@grzesiek Thanks for grabbing this :)

mentioned in commit b248ee93

mentioned in merge request !3535 (merged)

@DouweM

Merge request for this: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/3535

Status changed to closed by commit b248ee93

Excellent job! I'll report back.

mentioned in commit 7ff974e3

mentioned in commit 2ac04162

mentioned in issue #15450 (moved)

@balameb @DouweM Should we unmark this issue as confidential?

@grzegorz Yep, made it public.