JSON serialization of any Project model results in all Runner tokens being exposed through Quick Actions
This is a repeat of gitlab-foss#59003 (closed), but with a minor change to reproduce. It now needs a note that isn't command-only.
Steps to reproduce
- Create a project
- Create an issue
- Write
some text\n/move <full path of any other project>
and click "Comment", a request to/:namespace/:project/notes
is submitted - Observe the JSON response that is being returned, which contains the serialized Project model