### Background It was discovered in https://gitlab.com/gitlab-org/gitlab/-/issues/364160#note_2121282707 that there's a vulnerability in list and get API endpoints of merge request dependencies. ### How to reproduce 1. Create a private project with a MR (`private-mr`). 2. Create a public project with a MR (`public-mr`). 3. Add `private-mr` as dependency of `public-mr`. 4. View the blocks of `public-mr` via list or get API even as non-signed in user. (e.g. `http://gdk.test:3000/api/v4/projects/1/merge_requests/1/blocks` or `http://gdk.test:3000/api/v4/projects/1/merge_requests/1/blocks/1`). 5. You'll be able to see the details of `private-mr` as `blocking_merge_request`. ### Expected Behavior The details of `private-mr` shouldn't be exposed. ### Proposed fix Don't include any blocks wherein `current_user` cannot read the `blocking_merge_request` from the response. OR 1. Still return the `API::Entities::MergeRequestDependency` entity but `blocking_merge_request` should be `nil` if `current_user` can't read it. 2. Add a `hidden_blocking_merge_request` attribute to `API::Entities::MergeRequestDependency` and it should be true or false depending if `current_user` can read the blocking merge request.