Notes JSON is accessible without authentication for confidential issues

Comments on confidential issues can be intercepted if you know the

For example, get all comments from https://gitlab.com/gitlab-org/gitlab-ce/issues/18302#note_12427857: https://gitlab.com/gitlab-org/gitlab-ce/notes?target_id=2377752&target_type=issue&last_fetched_at=1465855717

The vulnerability is exploitable in a number of ways. For one, just iterate through every comment ID and scrape until you find the word "security" in there. Alternatively, if someone links to a comment in an issue, the URL won't be rendered by Banzai but the comment ID still is.

Also, it's not just new comments, just set the last_fetched_at to whenever you want! https://gitlab.com/gitlab-org/gitlab-ce/notes?target_id=2377752&target_type=issue&last_fetched_at=0000000

Try those URLs in incognito/private mode, they work :)

Do I get a vulnerability reward for this? 😉

cc: @stanhu