Issue title leakage when external issue tracker is enabled

Summary

After enabling external issue tracker it's possible to discover titles of all issues in a given GitLab instance. This exploit allows to do that for issues in private projects that we don't have access to as well as confidential issues.

Steps to reproduce

Create a public project
Create a merge request
Comment with https://gitlab.com/gitlab-com/customers-gitlab-com/issues/158 (private project, confidential issue)
Open the merge request in incognito mode
Link is not changed to a reference
Enable external issue tracker for the project
Open the merge request in incognito mode
Link is changed to a reference and it's possible to see issue title in the tooltip

Example Project

https://gitlab.com/adamniedzielski/test-project-1/merge_requests/12

Possible fixes

Here is the bug:

module Banzai
  module ReferenceParser
    class IssueParser < BaseParser
      self.reference_type = :issue

      def nodes_visible_to_user(user, nodes)
        # It is not possible to check access rights for external issue trackers
        return nodes if project && project.external_issue_tracker
        
        # [...]
      end
    end
  end
end

Admin message

Admin message

Issue title leakage when external issue tracker is enabled

Summary

Steps to reproduce

Example Project

Possible fixes