Create note API can specify created_at values far in the past
In https://gitlab.com/gitlab-com/gl-infra/production/-/issues/6692, we see a user used the POST /api/:version/projects/:id/merge_requests/:noteable_id/notes
API to add notes with bogus created_at
values:
-2745-07-23T18:16:42.925Z
This could be abused; I wouldn't think created_at
should be overridable, but it looks like https://docs.gitlab.com/ee/api/notes.html#create-new-issue-note allows project/group owners to do this.
We probably shouldn't allow the user to create values so far in the past.