Commit 02f93da8 authored by Kamil Trzciński's avatar Kamil Trzciński Committed by Robert Speicher

Merge branch 'mc/bug/38984-wildcard-protected-tags' into 'security-10-4'

Fix using wildcards in protected tags to expose protected variables
parent 68e31c09
...@@ -1589,8 +1589,11 @@ class Project < ActiveRecord::Base ...@@ -1589,8 +1589,11 @@ class Project < ActiveRecord::Base
end end
def protected_for?(ref) def protected_for?(ref)
ProtectedBranch.protected?(self, ref) || if repository.branch_exists?(ref)
ProtectedBranch.protected?(self, ref)
elsif repository.tag_exists?(ref)
ProtectedTag.protected?(self, ref) ProtectedTag.protected?(self, ref)
end
end end
def deployment_variables def deployment_variables
......
---
title: Fix wilcard protected tags protecting all branches
merge_request:
author:
type: security
...@@ -1590,7 +1590,7 @@ describe Ci::Build do ...@@ -1590,7 +1590,7 @@ describe Ci::Build do
context 'when the branch is protected' do context 'when the branch is protected' do
before do before do
create(:protected_branch, project: build.project, name: build.ref) allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
end end
it { is_expected.to include(protected_variable) } it { is_expected.to include(protected_variable) }
...@@ -1598,7 +1598,7 @@ describe Ci::Build do ...@@ -1598,7 +1598,7 @@ describe Ci::Build do
context 'when the tag is protected' do context 'when the tag is protected' do
before do before do
create(:protected_tag, project: build.project, name: build.ref) allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
end end
it { is_expected.to include(protected_variable) } it { is_expected.to include(protected_variable) }
...@@ -1635,7 +1635,7 @@ describe Ci::Build do ...@@ -1635,7 +1635,7 @@ describe Ci::Build do
context 'when the branch is protected' do context 'when the branch is protected' do
before do before do
create(:protected_branch, project: build.project, name: build.ref) allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
end end
it { is_expected.to include(protected_variable) } it { is_expected.to include(protected_variable) }
...@@ -1643,7 +1643,7 @@ describe Ci::Build do ...@@ -1643,7 +1643,7 @@ describe Ci::Build do
context 'when the tag is protected' do context 'when the tag is protected' do
before do before do
create(:protected_tag, project: build.project, name: build.ref) allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
end end
it { is_expected.to include(protected_variable) } it { is_expected.to include(protected_variable) }
......
...@@ -549,7 +549,7 @@ describe Group do ...@@ -549,7 +549,7 @@ describe Group do
context 'when the ref is a protected branch' do context 'when the ref is a protected branch' do
before do before do
create(:protected_branch, name: 'ref', project: project) allow(project).to receive(:protected_for?).with('ref').and_return(true)
end end
it_behaves_like 'ref is protected' it_behaves_like 'ref is protected'
...@@ -557,7 +557,7 @@ describe Group do ...@@ -557,7 +557,7 @@ describe Group do
context 'when the ref is a protected tag' do context 'when the ref is a protected tag' do
before do before do
create(:protected_tag, name: 'ref', project: project) allow(project).to receive(:protected_for?).with('ref').and_return(true)
end end
it_behaves_like 'ref is protected' it_behaves_like 'ref is protected'
...@@ -571,6 +571,10 @@ describe Group do ...@@ -571,6 +571,10 @@ describe Group do
let(:variable_child_2) { create(:ci_group_variable, group: group_child_2) } let(:variable_child_2) { create(:ci_group_variable, group: group_child_2) }
let(:variable_child_3) { create(:ci_group_variable, group: group_child_3) } let(:variable_child_3) { create(:ci_group_variable, group: group_child_3) }
before do
allow(project).to receive(:protected_for?).with('ref').and_return(true)
end
it 'returns all variables belong to the group and parent groups' do it 'returns all variables belong to the group and parent groups' do
expected_array1 = [protected_variable, secret_variable] expected_array1 = [protected_variable, secret_variable]
expected_array2 = [variable_child, variable_child_2, variable_child_3] expected_array2 = [variable_child, variable_child_2, variable_child_3]
......
...@@ -2092,7 +2092,7 @@ describe Project do ...@@ -2092,7 +2092,7 @@ describe Project do
context 'when the ref is a protected branch' do context 'when the ref is a protected branch' do
before do before do
create(:protected_branch, name: 'ref', project: project) allow(project).to receive(:protected_for?).with('ref').and_return(true)
end end
it_behaves_like 'ref is protected' it_behaves_like 'ref is protected'
...@@ -2100,7 +2100,7 @@ describe Project do ...@@ -2100,7 +2100,7 @@ describe Project do
context 'when the ref is a protected tag' do context 'when the ref is a protected tag' do
before do before do
create(:protected_tag, name: 'ref', project: project) allow(project).to receive(:protected_for?).with('ref').and_return(true)
end end
it_behaves_like 'ref is protected' it_behaves_like 'ref is protected'
...@@ -2125,6 +2125,8 @@ describe Project do ...@@ -2125,6 +2125,8 @@ describe Project do
context 'when the ref is a protected branch' do context 'when the ref is a protected branch' do
before do before do
allow(project).to receive(:repository).and_call_original
allow(project).to receive_message_chain(:repository, :branch_exists?).and_return(true)
create(:protected_branch, name: 'ref', project: project) create(:protected_branch, name: 'ref', project: project)
end end
...@@ -2135,6 +2137,8 @@ describe Project do ...@@ -2135,6 +2137,8 @@ describe Project do
context 'when the ref is a protected tag' do context 'when the ref is a protected tag' do
before do before do
allow(project).to receive_message_chain(:repository, :branch_exists?).and_return(false)
allow(project).to receive_message_chain(:repository, :tag_exists?).and_return(true)
create(:protected_tag, name: 'ref', project: project) create(:protected_tag, name: 'ref', project: project)
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment