Commit b4c78519 authored by Robert Speicher's avatar Robert Speicher Committed by Rémy Coutable

Merge branch '15591-fix-project-leak-in-new-mr-view' into 'master'

Prevent information disclosure via new merge request page

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15591.

See merge request !1963
Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
parent 3e84dc5e
...@@ -7,6 +7,7 @@ v 8.3.9 ...@@ -7,6 +7,7 @@ v 8.3.9
- Prevent privilege escalation via "impersonate" feature - Prevent privilege escalation via "impersonate" feature
- Prevent users from deleting Webhooks via API they do not own - Prevent users from deleting Webhooks via API they do not own
- Prevent information disclosure via snippet API - Prevent information disclosure via snippet API
- Prevent information disclosure via new merge request page
v 8.3.8 v 8.3.8
- Remove persistent XSS vulnerability in `commit_person_link` helper - Remove persistent XSS vulnerability in `commit_person_link` helper
......
...@@ -9,6 +9,9 @@ module MergeRequests ...@@ -9,6 +9,9 @@ module MergeRequests
merge_request.compare_commits = [] merge_request.compare_commits = []
merge_request.compare_diffs = [] merge_request.compare_diffs = []
merge_request.source_project = project unless merge_request.source_project merge_request.source_project = project unless merge_request.source_project
merge_request.target_project = nil unless can?(current_user, :read_project, merge_request.target_project)
merge_request.target_project ||= (project.forked_from_project || project) merge_request.target_project ||= (project.forked_from_project || project)
merge_request.target_branch ||= merge_request.target_project.default_branch merge_request.target_branch ||= merge_request.target_project.default_branch
......
require 'spec_helper'
feature 'Create New Merge Request', feature: true, js: true do
let(:user) { create(:user) }
let(:project) { create(:project, :public) }
before do
project.team << [user, :master]
login_as user
visit namespace_project_merge_requests_path(project.namespace, project)
end
context 'when target project cannot be viewed by the current user' do
it 'does not leak the private project name & namespace' do
private_project = create(:project, :private)
visit new_namespace_project_merge_request_path(project.namespace, project, merge_request: { target_project_id: private_project.id })
expect(page).not_to have_content private_project.to_reference
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment