Know whether release tags exists or not as a guest in private projects

HackerOne report #587938 by ashish_r_padelkar on 2019-05-22, assigned to jritchey:

Summary

Hello,

While #478569 is fixed for public projects and gets 403 in both cases i.e tag exists or not with releases

However, with introduction to https://about.gitlab.com/2019/05/22/gitlab-11-11-released/#guest-access-to-releases , Its possible for a guests users to know wether a release contains the tags or not using API response

Steps to reproduce

1. As a guest user in private project, navigate to releases. You wont see TAGS associated with releases.

2. Now just hit below url in browser

https://gitlab.com/api/v4/projects/<ProjectID>/releases/ThisIsValidTAG/assets/links  

3. If you get response as [] , then TAG ThisIsValidTAG is associated with the releases

4. If you get response as {"message":"404 Not found"}, then TAG is NOT associated with any releases within the project.

Impact

(Summarize the impact on users)

What is the current bug behavior?

Guest might be able to guess correct TAGS of the releases based on response from API

What is the expected correct behavior?

Responses should be same irrespective of whether TAG is associated with release or not.

Output of checks

This bug happens on GitLab.com and might be on omnibus installations too!

Regards,
Ashish

Impact

Guest can guess the correct TAGS associated with the releases by using API responses in private projects!