Do not reveal name of the private project to an unauthorized user in the API response

Problem

As mentioned in this thread, we are revealing the name of a private project in the error response when an attacker makes an API call (to the projects/:project_id/packages endpoint) using a composite identity CI_JOB_TOKEN and does not have access to the victim project.

curl --request GET --header "JOB-TOKEN:$CI_JOB_TOKEN" --url "https://gitlab.skundapur.net/api/v4/projects/6/packages"

The security checks we may have seem to be working as intended here and preventing a CI_JOB_TOKEN from project with ID 7 from accessing package related information from project with ID 6 where the user doesn't have the access to that project. Just to make sure I was checking for the right access control, I added the service account as a Developer to the victim and attacker projects and also added the attacker project to the job token allow-list in the victim project. Despite all this access is still being denied with a 403 presumably due to the existing security checks.

⚠️ However, we are revealing the name of the private victim project in the error response, which we must stop doing, as the attacker does not have access to the victim project - {"message":"403 Forbidden - Authentication by CI/CD job token not allowed from attacker-project to admin-user-private-project."}

This is a Medium severity bugvulnerability hence I'm applying severity3 priority3 labels.

Proposal

Return a generic error response without revealing the name of the private project.

/cc @adil.farrukh @jrandazzo Applying groupauthentication label as this is related to Composite Identity in CI pipelines. Let me know if this should belong with grouppackage registry instead, because of the endpoint in question? I have not tested if there are other endpoints that do the same kind of information disclosure as well. As part of the fix, that needs to be investigated as well.