Commit 7501d649 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-fix-badges-leaked-to-unauthorized-users' into 'master'

Don't display badges when builds are restricted

Closes #2864

See merge request gitlab/gitlabhq!3175
parents c4bc5dff 1c42f748
...@@ -3,7 +3,8 @@ ...@@ -3,7 +3,8 @@
class Projects::BadgesController < Projects::ApplicationController class Projects::BadgesController < Projects::ApplicationController
layout 'project_settings' layout 'project_settings'
before_action :authorize_admin_project!, only: [:index] before_action :authorize_admin_project!, only: [:index]
before_action :no_cache_headers, except: [:index] before_action :no_cache_headers, only: [:pipeline, :coverage]
before_action :authorize_read_build!, only: [:pipeline, :coverage]
def pipeline def pipeline
pipeline_status = Gitlab::Badge::Pipeline::Status pipeline_status = Gitlab::Badge::Pipeline::Status
......
---
title: Show badges if pipelines are public otherwise default to project permissions.
erge_request:
author:
type: security
...@@ -7,32 +7,54 @@ describe Projects::BadgesController do ...@@ -7,32 +7,54 @@ describe Projects::BadgesController do
let!(:pipeline) { create(:ci_empty_pipeline) } let!(:pipeline) { create(:ci_empty_pipeline) }
let(:user) { create(:user) } let(:user) { create(:user) }
shared_examples 'a badge resource' do |badge_type|
context 'when pipelines are public' do
before do before do
project.add_maintainer(user) project.update!(public_builds: true)
sign_in(user) end
context 'when project is public' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
end end
it 'requests the pipeline badge successfully' do it "returns the #{badge_type} badge to unauthenticated users" do
get_badge(:pipeline) get_badge(badge_type)
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
end end
end
it 'requests the coverage badge successfully' do context 'when project is restricted' do
get_badge(:coverage) before do
project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
project.add_guest(user)
sign_in(user)
end
it "returns the #{badge_type} badge to guest users" do
get_badge(badge_type)
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
end end
end
end
context 'format' do
before do
project.add_maintainer(user)
sign_in(user)
end
it 'renders the `flat` badge layout by default' do it 'renders the `flat` badge layout by default' do
get_badge(:coverage) get_badge(badge_type)
expect(response).to render_template('projects/badges/badge') expect(response).to render_template('projects/badges/badge')
end end
context 'when style param is set to `flat`' do context 'when style param is set to `flat`' do
it 'renders the `flat` badge layout' do it 'renders the `flat` badge layout' do
get_badge(:coverage, 'flat') get_badge(badge_type, 'flat')
expect(response).to render_template('projects/badges/badge') expect(response).to render_template('projects/badges/badge')
end end
...@@ -40,7 +62,7 @@ describe Projects::BadgesController do ...@@ -40,7 +62,7 @@ describe Projects::BadgesController do
context 'when style param is set to an invalid type' do context 'when style param is set to an invalid type' do
it 'renders the `flat` (default) badge layout' do it 'renders the `flat` (default) badge layout' do
get_badge(:coverage, 'xxx') get_badge(badge_type, 'xxx')
expect(response).to render_template('projects/badges/badge') expect(response).to render_template('projects/badges/badge')
end end
...@@ -48,11 +70,53 @@ describe Projects::BadgesController do ...@@ -48,11 +70,53 @@ describe Projects::BadgesController do
context 'when style param is set to `flat-square`' do context 'when style param is set to `flat-square`' do
it 'renders the `flat-square` badge layout' do it 'renders the `flat-square` badge layout' do
get_badge(:coverage, 'flat-square') get_badge(badge_type, 'flat-square')
expect(response).to render_template('projects/badges/badge_flat-square') expect(response).to render_template('projects/badges/badge_flat-square')
end end
end end
end
context 'when pipelines are not public' do
before do
project.update!(public_builds: false)
end
context 'when project is public' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
end
it 'returns 404 to unauthenticated users' do
get_badge(badge_type)
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'when project is restricted to the user' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
project.add_guest(user)
sign_in(user)
end
it 'defaults to project permissions' do
get_badge(:coverage)
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
end
describe '#pipeline' do
it_behaves_like 'a badge resource', :pipeline
end
describe '#coverage' do
it_behaves_like 'a badge resource', :coverage
end
def get_badge(badge, style = nil) def get_badge(badge, style = nil)
params = { params = {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment