Prevent project snippets from being accessed from non-canonical URLs

app/controllers/concerns/find_snippet.rb

@@ -9,7 +9,7 @@ module FindSnippet
   # rubocop:disable CodeReuse/ActiveRecord
   def snippet
     strong_memoize(:snippet) do
-      snippet_klass.inc_relations_for_view.find_by(id: snippet_id)
+      snippet_klass.inc_relations_for_view.find_by(snippet_find_params)
     end
   end
   # rubocop:enable CodeReuse/ActiveRecord
@@ -21,4 +21,8 @@ module FindSnippet
   def snippet_id
     params[:id]
   end
+
+  def snippet_find_params
+    { id: snippet_id }
+  end
 end

app/controllers/projects/snippets_controller.rb

 # frozen_string_literal: true
 
 class Projects::SnippetsController < Projects::Snippets::ApplicationController
+  extend ::Gitlab::Utils::Override
   include SnippetsActions
   include ToggleAwardEmoji
   include SpammableActions
@@ -45,4 +46,9 @@ class Projects::SnippetsController < Projects::Snippets::ApplicationController
   def spammable_path
     project_snippet_path(@project, @snippet)
   end
+
+  override :snippet_find_params
+  def snippet_find_params
+    super.merge(project_id: project.id)
+  end
 end

spec/controllers/projects/snippets_controller_spec.rb

@@ -181,6 +181,24 @@ RSpec.describe Projects::SnippetsController do
           end
         end
       end
+
+      context 'when the project snippet is public' do
+        let_it_be(:project_snippet_public) { create(:project_snippet, :public, :repository, project: project, author: user) }
+
+        context 'when attempting to access from a different project route' do
+          subject { get action, params: { namespace_id: project.namespace, project_id: 42, id: project_snippet_public.to_param } }
+
+          before do
+            sign_in(user)
+          end
+
+          it 'responds with status 404' do
+            subject
+
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+        end
+      end
     end
   end