Gitlab leaks names of private groups
Created by: cao
This is a copy of Gitlab CE Issue #13309 and posted here for convenience.
Update
The problem is also reported in Gitlab CE Issues #12658, #13226, #12830, and #13237.
Summary
Gitlab leaks the names of all groups which have at least 1 project to non-authenticated users via the publicly accessible /explore/groups. Group names might be sensitive if Gitlab is mainly used internally but accessible through a public interface. This includes private groups, which have 0 public projects and at least 1 private project.
Steps to reproduce
- Create group
- Create non-public project in group
- Log out
- Visit /explore/groups
Expected behavior
Groups that do not have any public projects are private and their name should not be exposed.
Output of checks
Does not apply.
Possible fixes
Do not expose groups that have 0 public projects.