Gitlab leaks names of private groups (#10027) · Issues · gpt / large_projects / gitlabhq1

Gitlab leaks names of private groups

Created by: cao

This is a copy of Gitlab CE Issue #13309 and posted here for convenience.

Update

The problem is also reported in Gitlab CE Issues #12658, #13226, #12830, and #13237.

Summary

Gitlab leaks the names of all groups which have at least 1 project to non-authenticated users via the publicly accessible /explore/groups. Group names might be sensitive if Gitlab is mainly used internally but accessible through a public interface. This includes private groups, which have 0 public projects and at least 1 private project.

Steps to reproduce

Create group
Create non-public project in group
Log out
Visit /explore/groups

Expected behavior

Groups that do not have any public projects are private and their name should not be exposed.

Output of checks

Does not apply.

Possible fixes

Do not expose groups that have 0 public projects.

You're only seeing other activity in the feed. To add a comment, switch to one of the following options.

Please register or sign in to reply

GitLab