Information leakage with references to private project snippets
Summary
The title of a private project snippet can be leaked to non-project members when the snippet is referenced.
Steps to reproduce
- In a public project (e.g. https://gitlab.com/rabbitfang/gitlab-bug-test), create a private snippet (any content and title).
- Somewhere on GitLab where Markdown references are rendered, link to the created snippet (e.g. rabbitfang/gitlab-bug-test$33967)
- Either save the comment/issue/MR, or just preview the rendered markdown.
- ???
- Profit (e.g. launch the nukes)
Expected behavior
The linked snippet is rendered as plain text without linking to the snippet or having hover text giving the snippet's title.
Actual behavior
The private snippet is linked and the title is available in a tooltip.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com. Tested on 8.15.0-rc3-ee
More Private Snippets
- gitlab-org/gitlab-ce$33946
- gitlab-com/operations$13170
Related Issues
Suggested Labels
Edited by 🤖 GitLab Bot 🤖