Search by iid leaks private data
This is a follow up issue from a new security vulnerability noticed at #29491 (comment 225857931)
Basically any search by iid
is going to have the possibility of displaying all sorts of random results you do not have access to.
The reason is that we are finding any type of record by iid
and then converting it back to the type of record you were searching for. So, for example, you may be searching for merge requests with iid=435
(ie. searching for !435
) and we are going to look in all projects you have access to and we may find some Issue with iid=435
and that has an id=1000
(for example) then we go ahead and look in the DB for a MergeRequest
with id=1000
which is really bad because that MergeRequest
now is in some random project that you don't even have access to.
We are exposing the title and part of the description as well as project and group names to you.
This is due to not filtering by type
in https://gitlab.com/gitlab-org/gitlab/blob/df356f85ed467702368a4bcd2387b07eb2600b62/ee/lib/elastic/latest/application_class_proxy.rb#L85
We should filter the same as we do at https://gitlab.com/gitlab-org/gitlab/blob/df356f85ed467702368a4bcd2387b07eb2600b62/ee/lib/elastic/latest/application_class_proxy.rb#L55