Commit d1fdbf8c authored by Fabio Pitino's avatar Fabio Pitino

Don't display badges when builds are restricted

Badges were leaked to unauthorized users even when Public Builds
project setting is disabled.

Added guard clause to the controller to check if user can read
build.
parent 1c320888
...@@ -3,7 +3,8 @@ ...@@ -3,7 +3,8 @@
class Projects::BadgesController < Projects::ApplicationController class Projects::BadgesController < Projects::ApplicationController
layout 'project_settings' layout 'project_settings'
before_action :authorize_admin_project!, only: [:index] before_action :authorize_admin_project!, only: [:index]
before_action :no_cache_headers, except: [:index] before_action :no_cache_headers, only: [:pipeline, :coverage]
before_action :authorize_read_build!, only: [:pipeline, :coverage]
def pipeline def pipeline
pipeline_status = Gitlab::Badge::Pipeline::Status pipeline_status = Gitlab::Badge::Pipeline::Status
......
---
title: Show badges if pipelines are public otherwise default to project permissions.
erge_request:
author:
type: security
...@@ -7,32 +7,54 @@ describe Projects::BadgesController do ...@@ -7,32 +7,54 @@ describe Projects::BadgesController do
let!(:pipeline) { create(:ci_empty_pipeline) } let!(:pipeline) { create(:ci_empty_pipeline) }
let(:user) { create(:user) } let(:user) { create(:user) }
shared_examples 'a badge resource' do |badge_type|
context 'when pipelines are public' do
before do before do
project.add_maintainer(user) project.update!(public_builds: true)
sign_in(user) end
context 'when project is public' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
end end
it 'requests the pipeline badge successfully' do it "returns the #{badge_type} badge to unauthenticated users" do
get_badge(:pipeline) get_badge(badge_type)
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
end end
end
it 'requests the coverage badge successfully' do context 'when project is restricted' do
get_badge(:coverage) before do
project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
project.add_guest(user)
sign_in(user)
end
it "returns the #{badge_type} badge to guest users" do
get_badge(badge_type)
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
end end
end
end
context 'format' do
before do
project.add_maintainer(user)
sign_in(user)
end
it 'renders the `flat` badge layout by default' do it 'renders the `flat` badge layout by default' do
get_badge(:coverage) get_badge(badge_type)
expect(response).to render_template('projects/badges/badge') expect(response).to render_template('projects/badges/badge')
end end
context 'when style param is set to `flat`' do context 'when style param is set to `flat`' do
it 'renders the `flat` badge layout' do it 'renders the `flat` badge layout' do
get_badge(:coverage, 'flat') get_badge(badge_type, 'flat')
expect(response).to render_template('projects/badges/badge') expect(response).to render_template('projects/badges/badge')
end end
...@@ -40,7 +62,7 @@ describe Projects::BadgesController do ...@@ -40,7 +62,7 @@ describe Projects::BadgesController do
context 'when style param is set to an invalid type' do context 'when style param is set to an invalid type' do
it 'renders the `flat` (default) badge layout' do it 'renders the `flat` (default) badge layout' do
get_badge(:coverage, 'xxx') get_badge(badge_type, 'xxx')
expect(response).to render_template('projects/badges/badge') expect(response).to render_template('projects/badges/badge')
end end
...@@ -48,11 +70,53 @@ describe Projects::BadgesController do ...@@ -48,11 +70,53 @@ describe Projects::BadgesController do
context 'when style param is set to `flat-square`' do context 'when style param is set to `flat-square`' do
it 'renders the `flat-square` badge layout' do it 'renders the `flat-square` badge layout' do
get_badge(:coverage, 'flat-square') get_badge(badge_type, 'flat-square')
expect(response).to render_template('projects/badges/badge_flat-square') expect(response).to render_template('projects/badges/badge_flat-square')
end end
end end
end
context 'when pipelines are not public' do
before do
project.update!(public_builds: false)
end
context 'when project is public' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
end
it 'returns 404 to unauthenticated users' do
get_badge(badge_type)
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'when project is restricted to the user' do
before do
project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
project.add_guest(user)
sign_in(user)
end
it 'defaults to project permissions' do
get_badge(:coverage)
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
end
describe '#pipeline' do
it_behaves_like 'a badge resource', :pipeline
end
describe '#coverage' do
it_behaves_like 'a badge resource', :coverage
end
def get_badge(badge, style = nil) def get_badge(badge, style = nil)
params = { params = {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment