Markdown of release notes leaks confidential issue titles and MR titles to any users
This is a reimport of [HackerOne report #478082](https://hackerone.com/reports/478082, due the follow up finding that the markdown rendering of the tag release notes and commit message are rendering the confidential issue titles, MR titles, and milestones titles as tooltips for Guest users. See note below: https://gitlab.com/gitlab-org/gitlab-ce/issues/56568#note_132929837
HackerOne report #478082 by xanbanx
on 2019-01-11, assigned to asaba
:
GitLab recently introduced Releases, a way to present tags in the user interface of GitLab. These releases are currently managed via the API.
Releases are closely tight to ordinary git tags, and therefore also present similar information.
However, guest users, who do not have access to the code, also have access to these releases and therefore have also access to this information related to the code.