Snippets can be accessed from another project
Summary
Snippets can be accessed using URLs which are not canonical, including from seemingly other, completely unrelated, projects.
Permission checks seems to be handled correctly, but I wasn't able to test all combinations. To be on the safe side, I marked this issue as confidential. Feel free to unmark it if it wasn't necessary.
Steps to reproduce
- Create a snippet in any project
- Visit
<gitlab instance url>/path/to/any/other/project/-/snippets/<id of the snippet created in 1.>
Example Project
Setup used :
- Public project at zarunet/test-project>
- Public snippet zarunet/test-project$2144097
- Private project at zarunet/test-private-repo>
- Public snippet zarunet/test-private-repo$2144099
- Private snippet zarunet/test-private-repo$2144100
What is the current bug behavior?
Snippets are accessible from another project than their own
-
zarunet/test-project$2144097 (public project, public snippet) is accessible from all of these :
- zarunet/test-project$2144097 (canonical URL)
- https://gitlab.com/zarunet/test-private-repo/-/snippets/2144097
- https://gitlab.com/gitlab-org/gitlab/-/snippets/2144097
- (repeat with any project you want)
-
zarunet/test-private-repo$2144099 (private project, public snippet) is accessible from all of these :
- https://gitlab.com/zarunet/test-project/-/snippets/2144099
- https://gitlab.com/zarunet/test-private-repo/-/snippets/2144099 (canonical URL)
- https://gitlab.com/gitlab-org/gitlab/-/snippets/2144099
- (repeat with any project you want)
-
zarunet/test-private-repo$2144100 (private project, public snippet) is accessible from all of these :
- https://gitlab.com/zarunet/test-project/-/snippets/2144100
- https://gitlab.com/zarunet/test-private-repo/-/snippets/2144100 (canonical URL)
- https://gitlab.com/gitlab-org/gitlab/-/snippets/2144100
- (repeat with any project you want)
What is the expected correct behavior?
Snippets should be accessible from their canonical URL only. Non-canonical URLs should throw a 404. (Not sure what the intended behavior in this case is, feel free to correct if needed)
Relevant logs and/or screenshots
n/a
Output of checks
This bug happens on GitLab.com