Security: Private snippets visible to non-project members

/cc @DouweM

It would seem this is a result of the Projects::SnippetController (for project snippets) not having a check for snippet lookup as the SnippetController (for personal snippets) does, but I am not very familiar with the GitLab code.

In e3351287, in app/controllers/projects/snippets_controller.rb, before_filter :authorize_read_snippet! was replaced with before_filter :authorize_read_project_snippet!. authorize_read_snippet! is defined in app/controllers/snippets_controller.rb, but authorize_read_project_snippet! is not defined anywhere from what I can tell.

@rabbitfang Thanks for reporting this. It is our first confidential issue

Added ~14106 label

Milestone changed to 8.6

Milestone changed to 8.7

I assigned milestone 8.7 but we should probably put this in a patch release.

mentioned in issue #14303 (closed)

Milestone changed to 8.6

Added ~12980 label

@sytses This will definitely go into a 8.6 patch release.

Reassigned to @rymai

Fixed by https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/1946.

Status changed to closed by commit f4bdefdf

mentioned in commit 8d5a55ef

After 8.6.2 is made live on GitLab.com, would it be okay to remove the confidential status of this issue (and maybe remove the screenshot from the description)?

@rabbitfang Done. Thank you!

There is no mention in the blog post that the patch release also fixed a security issue. Since the vulnerability seems to have been around for a long time (over 3 years), a notice should be given about it (and the fix possibly backported).