Don't display badges when builds are restricted

Badges were leaked to unauthorized users even when Public Builds project setting is disabled. Added guard clause to the controller to check if user can read build.

Don't display badges when builds are restricted
Badges were leaked to unauthorized users even when Public Builds project setting is disabled. Added guard clause to the controller to check if user can read build.
d1fdbf8c · Fabio Pitino · 1c320888 · d1fdbf8c · d1fdbf8c · d1fdbf8c
Commit d1fdbf8c authored Jun 21, 2019 by Fabio Pitino
3 changed files
--- a/app/controllers/projects/badges_controller.rb
+++ b/app/controllers/projects/badges_controller.rb
@@ -3,7 +3,8 @@
 class Projects::BadgesController < Projects::ApplicationController
  layout 'project_settings'
  before_action :authorize_admin_project!, only: [:index]
-  before_action :no_cache_headers, except: [:index]
+  before_action :no_cache_headers, only: [:pipeline, :coverage]
+  before_action :authorize_read_build!, only: [:pipeline, :coverage]

  def pipeline
    pipeline_status = Gitlab::Badge::Pipeline::Status

--- a/changelogs/unreleased/security-fix-badges-leaked-to-unauthorized-users.yml
+++ b/changelogs/unreleased/security-fix-badges-leaked-to-unauthorized-users.yml
+---
+title: Show badges if pipelines are public otherwise default to project permissions.
+erge_request:
+author:
+type: security
--- a/spec/controllers/projects/badges_controller_spec.rb
+++ b/spec/controllers/projects/badges_controller_spec.rb
@@ -7,32 +7,54 @@ describe Projects::BadgesController do
  let!(:pipeline) { create(:ci_empty_pipeline) }
  let(:user) { create(:user) }

+  shared_examples 'a badge resource' do |badge_type|
+    context 'when pipelines are public' do
      before do
-    project.add_maintainer(user)
-    sign_in(user)
+        project.update!(public_builds: true)
+      end
+
+      context 'when project is public' do
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
        end

-  it 'requests the pipeline badge successfully' do
-    get_badge(:pipeline)
+        it "returns the #{badge_type} badge to unauthenticated users" do
+          get_badge(badge_type)

          expect(response).to have_gitlab_http_status(:ok)
        end
+      end

-  it 'requests the coverage badge successfully' do
-    get_badge(:coverage)
+      context 'when project is restricted' do
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
+          project.add_guest(user)
+          sign_in(user)
+        end
+
+        it "returns the #{badge_type} badge to guest users" do
+          get_badge(badge_type)

          expect(response).to have_gitlab_http_status(:ok)
        end
+      end
+    end
+
+    context 'format' do
+      before do
+        project.add_maintainer(user)
+        sign_in(user)
+      end

      it 'renders the `flat` badge layout by default' do
-    get_badge(:coverage)
+        get_badge(badge_type)

        expect(response).to render_template('projects/badges/badge')
      end

      context 'when style param is set to `flat`' do
        it 'renders the `flat` badge layout' do
-      get_badge(:coverage, 'flat')
+          get_badge(badge_type, 'flat')

          expect(response).to render_template('projects/badges/badge')
        end
@@ -40,7 +62,7 @@ describe Projects::BadgesController do

      context 'when style param is set to an invalid type' do
        it 'renders the `flat` (default) badge layout' do
-      get_badge(:coverage, 'xxx')
+          get_badge(badge_type, 'xxx')

          expect(response).to render_template('projects/badges/badge')
        end
@@ -48,11 +70,53 @@ describe Projects::BadgesController do

      context 'when style param is set to `flat-square`' do
        it 'renders the `flat-square` badge layout' do
-      get_badge(:coverage, 'flat-square')
+          get_badge(badge_type, 'flat-square')

          expect(response).to render_template('projects/badges/badge_flat-square')
        end
      end
+    end
+
+    context 'when pipelines are not public' do
+      before do
+        project.update!(public_builds: false)
+      end
+
+      context 'when project is public' do
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+        end
+
+        it 'returns 404 to unauthenticated users' do
+          get_badge(badge_type)
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+
+      context 'when project is restricted to the user' do
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
+          project.add_guest(user)
+          sign_in(user)
+        end
+
+        it 'defaults to project permissions' do
+          get_badge(:coverage)
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+    end
+  end
+
+  describe '#pipeline' do
+    it_behaves_like 'a badge resource', :pipeline
+  end
+
+  describe '#coverage' do
+    it_behaves_like 'a badge resource', :coverage
+  end

  def get_badge(badge, style = nil)
    params = {