Information leakage with references to private project snippets

Summary

The title of a private project snippet can be leaked to non-project members when the snippet is referenced.

Steps to reproduce

1. In a public project (e.g. https://gitlab.com/rabbitfang/gitlab-bug-test), create a private snippet (any content and title).
2. Somewhere on GitLab where Markdown references are rendered, link to the created snippet (e.g. rabbitfang/gitlab-bug-test$33967)
3. Either save the comment/issue/MR, or just preview the rendered markdown.
4. ???
5. Profit (e.g. launch the nukes)

Expected behavior

The linked snippet is rendered as plain text without linking to the snippet or having hover text giving the snippet's title.

Actual behavior

The private snippet is linked and the title is available in a tooltip.

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com. Tested on 8.15.0-rc3-ee

More Private Snippets

• gitlab-org/gitlab-ce$33946
• gitlab-com/operations$13170

Related Issues

• #14607 (closed)
• #15580 (closed)
• #23548 (closed)

Suggested Labels

snippets security