Slack Notification Integration information leak

Summary

The Slack Notification Integration leaks comments where a group is mentioned in a note which is not accessible by that group.

Steps to reproduce

The Slack Integration discussed in #417751 (closed) will catch mentions of @gitlab-com/gl-security/appsec even in private namespaces where the group is not a member of.

What is the current bug behavior?

Mentions of the group are forwarded regardless of visibility for the group.

What is the expected correct behavior?

Group pings in notes that group has no access to should not be forwareded.

Suggested fix

Continue with the approach in Check group member permissions in GroupMentionS... (!134677 - merged) and review and apply feedback on the MR.

Rollout Issue

[FF] `group_mention_access_check` -- Check grou... (#557801 - closed)

cc @gitlab-com/gl-security/appsec

Edited Jul 29, 2025 by Ash McKenzie