3 files changed, 20 insertions, 6 deletions

diff --git a/CHANGELOG b/CHANGELOG
index 00b3255ce2d..e8f367c332b 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -11,6 +11,8 @@ v 7.10.0 (unreleased)
   - Fix project import URL regex to prevent arbitary local repos from being imported.
   - Fix directory traversal vulnerability around uploads routes.
   - Fix directory traversal vulnerability around help pages.
+  - Don't leak existence of project via search autocomplete.
+  - Don't leak existence of group or project via search.
   - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu)
   - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu)
   - Add ability to configure Reply-To address in gitlab.yml (Stan Hu)
diff --git a/Gemfile.lock b/Gemfile.lock
index 747dbe1b037..dc00acf6292 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -188,7 +188,7 @@ GEM
       dotenv (>= 0.7)
       thor (>= 0.13.6)
     formatador (0.2.4)
-    gemnasium-gitlab-service (0.2.4)
+    gemnasium-gitlab-service (0.2.6)
       rugged (~> 0.21)
     gemojione (2.0.0)
       json
diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb
index a3284c82d3f..c5828d0b2df 100644
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -3,15 +3,22 @@ class SearchController < ApplicationController
 
   def show
     return if params[:search].nil? || params[:search].blank?
-    @project = Project.find_by(id: params[:project_id]) if params[:project_id].present?
-    @group = Group.find_by(id: params[:group_id]) if params[:group_id].present?
+
+    if params[:project_id].present?
+      @project = Project.find_by(id: params[:project_id])
+      @project = nil unless can?(current_user, :download_code, @project)
+    end
+
+    if params[:group_id].present?
+      @group = Group.find_by(id: params[:group_id]) 
+      @group = nil unless can?(current_user, :read_group, @group)
+    end
+    
     @scope = params[:scope]
     @show_snippets = params[:snippets].eql? 'true'
 
     @search_results = 
       if @project
-        return access_denied! unless can?(current_user, :download_code, @project)
-
         unless %w(blobs notes issues merge_requests wiki_blobs).
           include?(@scope)
           @scope = 'blobs'
@@ -35,7 +42,12 @@ class SearchController < ApplicationController
 
   def autocomplete
     term = params[:term]
-    @project = Project.find(params[:project_id]) if params[:project_id].present?
+
+    if params[:project_id].present?
+      @project = Project.find_by(id: params[:project_id])
+      @project = nil unless can?(current_user, :read_project, @project)
+    end
+
     @ref = params[:project_ref] if params[:project_ref].present?
 
     render json: search_autocomplete_opts(term).to_json