Full URLs to referenced issues or MRs I don't have access to, are not autolinked
I noticed that in https://gitlab.com/gitlab-com/infrastructure/issues/3287#note_48490255, the URL was not autolinked:
@smcgivern correctly theorized that this was our Banzai::Redactor
replacing a merge request reference link with the link's plain text content, because I don't have access to the private project in question.
If Pablo's comment had included a URL to a nonexistent project, or a nonexistent MR inside an existent project, it would never have been turned into a reference link by our MergeRequestReferenceFilter
, would have remained untouched by the Redactor
, and would have looked like a simple autolinked link. This means that, technically, GitLab is leaking private project existence, because URLs to private and nonexistent projects end up being rendered differently.
However, the link would not have been turned into a reference at all if Pablo didn’t have access to that project and MR, and it would have remained autolinked just like a link to a nonexistent project would. With and without this bug, existence of the project would have been leaked by Pablo posting a comment linking to it in a place where people without access to the project could find it.
We could/should still fix this, but it's a cosmetic issue, not a security one.
We already have a link_reference
attribute in AbstractReferenceFilter#object_link_filter
, which we could add to the <a>
tag in a data
attribute, which the Redactor
would then use to determine whether to completely replace the link with its contents (as it does now), or to keep the link, but remove any "identifying" information, like data
attributes and the tooltip title
.