Notes JSON is accessible without authentication for confidential issues

Comments on confidential issues can be intercepted if you know the

For example, get all comments from https://gitlab.com/gitlab-org/gitlab-ce/issues/18302#note_12427857: https://gitlab.com/gitlab-org/gitlab-ce/notes?target_id=2377752&target_type=issue&last_fetched_at=1465855717

The vulnerability is exploitable in a number of ways. For one, just iterate through every comment ID and scrape until you find the word "security" in there. Alternatively, if someone links to a comment in an issue, the URL won't be rendered by Banzai but the comment ID still is.

Also, it's not just new comments, just set the last_fetched_at to whenever you want! https://gitlab.com/gitlab-org/gitlab-ce/notes?target_id=2377752&target_type=issue&last_fetched_at=0000000

Try those URLs in incognito/private mode, they work :)

Do I get a vulnerability reward for this?

cc: @stanhu

Nice find

@dbalexandre Can you take a look at this one? It looks to me that NotesFinder doesn't seem to check whether the issue is visible to the user.

@stanhu Sure! I'll take a look.

Reassigned to @dbalexandre

MR https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/1970

Status changed to closed

Made the issue visible

Made the issue confidential

Made the issue visible

mentioned in commit 6e05270b

Mentioned in commit pfjason/gitlab-ce@ea13df6d

Mentioned in commit pfjason/gitlab-ce@fa854474

Mentioned in commit pfjason/gitlab-ce@33b59e7f

Mentioned in commit pfjason/gitlab-ce@e7a8fe07

Mentioned in commit pfjason/gitlab-ce@6e05270b