comments search leaks system notes
A followup from a previous HackerOne Report:
The comments search seems to still leaks data about private issues.
Go, as an anonymous user, to https://gitlab.com/search?group_id=9970&repository_ref=&scope=notes&search=nextbit&snippets=
You will see a comment on a private issue, of a private project, of a private group.
Therefore, the search is leaking existence of private projects, private groups, and existence of issues.
If you open the returned issue, the information is properly hidden.
Basically, the notes scope search is not properly cleared from private information. I suppose it is the same with notes from MRs or other components, but I don't want to blindly look for private projects.
Please note that the name of projects could reveal the name of customers (in our case, nextbit is the company I work for, but the name of the project should be confidential)
You can reproduce it also through APIs:
curl "https://gitlab.com/api/v4/projects/278964/search?scope=notes&search=nextbit" --header "PRIVATE-TOKEN: secret"
This was initially mentioned in #33399 (comment 227673311) and then determined to be a separate issue.