Commit 6d88aabd authored by Douwe Maan's avatar Douwe Maan Committed by Tomasz Maczukin

Merge branch 'fix/unauthorized-access-to-build-data' into 'master'

Remove 'unscoped' from project builds selection

This is a fix for this security bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/18188

/cc @kamil @grzegorz @stanhu

See merge request !1968
parent 680453b7
......@@ -77,7 +77,7 @@ class Projects::BuildsController < Projects::ApplicationController
private
def build
@build ||= ci_project.builds.unscoped.find_by!(id: params[:id])
@build ||= ci_project.builds.find_by!(id: params[:id])
end
def artifacts_file
......
......@@ -7,6 +7,7 @@ describe "Builds" do
login_as(:user)
@commit = FactoryGirl.create :ci_commit
@build = FactoryGirl.create :ci_build, commit: @commit
@build2 = FactoryGirl.create :ci_build
@gl_project = @commit.project.gl_project
@gl_project.team << [@user, :master]
end
......@@ -61,13 +62,24 @@ describe "Builds" do
end
describe "GET /:project/builds/:id" do
context "Build from project" do
before do
visit namespace_project_build_path(@gl_project.namespace, @gl_project, @build)
end
it { expect(page.status_code).to eq(200) }
it { expect(page).to have_content @commit.sha[0..7] }
it { expect(page).to have_content @commit.git_commit_message }
it { expect(page).to have_content @commit.git_author_name }
end
context "Build from other project" do
before do
visit namespace_project_build_path(@gl_project.namespace, @gl_project, @build2)
end
it { expect(page.status_code).to eq(404) }
end
context "Download artifacts" do
before do
......@@ -80,35 +92,92 @@ describe "Builds" do
end
describe "POST /:project/builds/:id/cancel" do
context "Build from project" do
before do
@build.run!
visit namespace_project_build_path(@gl_project.namespace, @gl_project, @build)
click_link "Cancel"
end
it { expect(page.status_code).to eq(200) }
it { expect(page).to have_content 'canceled' }
it { expect(page).to have_content 'Retry' }
end
context "Build from other project" do
before do
@build.run!
visit namespace_project_build_path(@gl_project.namespace, @gl_project, @build)
page.driver.post(cancel_namespace_project_build_path(@gl_project.namespace, @gl_project, @build2))
end
it { expect(page.status_code).to eq(404) }
end
end
describe "POST /:project/builds/:id/retry" do
context "Build from project" do
before do
@build.run!
visit namespace_project_build_path(@gl_project.namespace, @gl_project, @build)
click_link "Cancel"
click_link 'Cancel'
click_link 'Retry'
end
it { expect(page.status_code).to eq(200) }
it { expect(page).to have_content 'pending' }
it { expect(page).to have_content 'Cancel' }
end
context "Build from other project" do
before do
@build.run!
visit namespace_project_build_path(@gl_project.namespace, @gl_project, @build)
click_link 'Cancel'
page.driver.post(retry_namespace_project_build_path(@gl_project.namespace, @gl_project, @build2))
end
it { expect(page.status_code).to eq(404) }
end
end
describe "GET /:project/builds/:id/download" do
context "Build from project" do
before do
@build.update_attributes(artifacts_file: artifacts_file)
visit namespace_project_build_path(@gl_project.namespace, @gl_project, @build)
click_link 'Download artifacts'
end
it { expect(page.status_code).to eq(200) }
it { expect(page.response_headers['Content-Type']).to eq(artifacts_file.content_type) }
end
context "Build from other project" do
before do
@build2.update_attributes(artifacts_file: artifacts_file)
visit download_namespace_project_build_path(@gl_project.namespace, @gl_project, @build2)
end
it { expect(page.status_code).to eq(404) }
end
end
describe "GET /:project/builds/:id/status" do
context "Build from project" do
before do
visit status_namespace_project_build_path(@gl_project.namespace, @gl_project, @build)
end
it { expect(page.status_code).to eq(200) }
end
context "Build from other project" do
before do
visit status_namespace_project_build_path(@gl_project.namespace, @gl_project, @build2)
end
it { expect(page.status_code).to eq(404) }
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment