Commit 7501d649 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-fix-badges-leaked-to-unauthorized-users' into 'master'

Don't display badges when builds are restricted

Closes #2864

See merge request gitlab/gitlabhq!3175
parents c4bc5dff 1c42f748
......@@ -3,7 +3,8 @@
class Projects::BadgesController < Projects::ApplicationController
layout 'project_settings'
before_action :authorize_admin_project!, only: [:index]
before_action :no_cache_headers, except: [:index]
before_action :no_cache_headers, only: [:pipeline, :coverage]
before_action :authorize_read_build!, only: [:pipeline, :coverage]
def pipeline
pipeline_status = Gitlab::Badge::Pipeline::Status
......
---
title: Show badges if pipelines are public otherwise default to project permissions.
erge_request:
author:
type: security
......@@ -7,32 +7,54 @@ describe Projects::BadgesController do
let!(:pipeline) { create(:ci_empty_pipeline) }
let(:user) { create(:user) }
shared_examples 'a badge resource' do |badge_type|
context 'when pipelines are public' do
before do
project.add_maintainer(user)
sign_in(user)
project.update!(public_builds: true)
end
context 'when project is public' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
end
it 'requests the pipeline badge successfully' do
get_badge(:pipeline)
it "returns the #{badge_type} badge to unauthenticated users" do
get_badge(badge_type)
expect(response).to have_gitlab_http_status(:ok)
end
end
it 'requests the coverage badge successfully' do
get_badge(:coverage)
context 'when project is restricted' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
project.add_guest(user)
sign_in(user)
end
it "returns the #{badge_type} badge to guest users" do
get_badge(badge_type)
expect(response).to have_gitlab_http_status(:ok)
end
end
end
context 'format' do
before do
project.add_maintainer(user)
sign_in(user)
end
it 'renders the `flat` badge layout by default' do
get_badge(:coverage)
get_badge(badge_type)
expect(response).to render_template('projects/badges/badge')
end
context 'when style param is set to `flat`' do
it 'renders the `flat` badge layout' do
get_badge(:coverage, 'flat')
get_badge(badge_type, 'flat')
expect(response).to render_template('projects/badges/badge')
end
......@@ -40,7 +62,7 @@ describe Projects::BadgesController do
context 'when style param is set to an invalid type' do
it 'renders the `flat` (default) badge layout' do
get_badge(:coverage, 'xxx')
get_badge(badge_type, 'xxx')
expect(response).to render_template('projects/badges/badge')
end
......@@ -48,11 +70,53 @@ describe Projects::BadgesController do
context 'when style param is set to `flat-square`' do
it 'renders the `flat-square` badge layout' do
get_badge(:coverage, 'flat-square')
get_badge(badge_type, 'flat-square')
expect(response).to render_template('projects/badges/badge_flat-square')
end
end
end
context 'when pipelines are not public' do
before do
project.update!(public_builds: false)
end
context 'when project is public' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
end
it 'returns 404 to unauthenticated users' do
get_badge(badge_type)
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'when project is restricted to the user' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
project.add_guest(user)
sign_in(user)
end
it 'defaults to project permissions' do
get_badge(:coverage)
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
end
describe '#pipeline' do
it_behaves_like 'a badge resource', :pipeline
end
describe '#coverage' do
it_behaves_like 'a badge resource', :coverage
end
def get_badge(badge, style = nil)
params = {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment