Private System Note Disclosure using GraphQL

HackerOne report #633001 by ngalog on 2019-06-30:

Summary

When you use the REST API or UI to view an issue's discussion/notes, private system note is hidden to member's only.

Such as moving an issue to a private project, making issue as duplicate of a confidential issue, someone mentioned this issue in a confidential issue.

They are properly hidden in REST and UI, but you can still see them in graphql

Steps to reproduce

• Open a new private browser without an authenticated session
• visit https://gitlab.com/-/graphql-explorer
• paste this query and see the difference between UI username16/ci-test#1 (moved) <-- this is public project with public issue doing some private stuff and graphql response

query {  
  project(fullPath:"username16/ci-test"){  
    issue(iid:"1"){  
      descriptionHtml

      notes{  
        edges{  
          node{  
            bodyHtml  
            system  
            author{  
              username  
            }  
            body  
          }  
        }  
      }  
    }}  
  }  

• You should notice it has moved to dynamic#1, which is not visible from UI
• also you should be able to see it was marked as duplicate of #2 (closed), which is not visible from UI cause #2 (closed) is confidential
• also you can see someone mentioned this issue in #2 (closed), which is not visible from UI cause #2 (closed) is confidentail

Impact

Disclosure of all system note of an issue/MR/designs that should be private

Reproduced on gitlab.com

Impact

Disclosure of all system note of an issue/MR/designs that should be private