Merge branch '245260-fix-git-url-project-disclosure' into 'master'

Resolve ".git URL for a project responds differently if a private project exists" See merge request gitlab-org/gitlab!52818

Merge branch '245260-fix-git-url-project-disclosure' into 'master'
Resolve ".git URL for a project responds differently if a private project exists" See merge request gitlab-org/gitlab!52818
0c3154cf · David Fernandez · 4db6ea14 · 406a452d · 0c3154cf · 0c3154cf
Commit 0c3154cf authored Feb 09, 2021 by David Fernandez
3 changed files
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -502,13 +502,15 @@ class ProjectsController < Projects::ApplicationController
    render_404 unless Gitlab::CurrentSettings.project_export_enabled?
  end

+  # Redirect from localhost/group/project.git to localhost/group/project
  def redirect_git_extension
-    # Redirect from
-    #   localhost/group/project.git
-    # to
-    #   localhost/group/project
-    #
-    redirect_to request.original_url.sub(%r{\.git/?\Z}, '') if params[:format] == 'git'
+    return unless params[:format] == 'git'
+
+    # `project` calls `find_routable!`, so this will trigger the usual not-found
+    # behaviour when the user isn't authorized to see the project
+    return unless project
+
+    redirect_to(request.original_url.sub(%r{\.git/?\Z}, ''))
  end

  def whitelist_query_limiting

--- a/changelogs/unreleased/245260-fix-git-url-project-disclosure.yml
+++ b/changelogs/unreleased/245260-fix-git-url-project-disclosure.yml
+---
+title: Don't expose project existence by redirecting from its .git URL
+merge_request: 52818
+author:
+type: fixed
--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -5,6 +5,7 @@ require('spec_helper')
 RSpec.describe ProjectsController do
  include ExternalAuthorizationServiceHelpers
  include ProjectForksHelper
+  using RSpec::Parameterized::TableSyntax

  let_it_be(:project, reload: true) { create(:project, service_desk_enabled: false) }
  let_it_be(:public_project) { create(:project, :public) }
@@ -324,14 +325,39 @@ RSpec.describe ProjectsController do
      end
    end

-    context "redirection from http://someproject.git" do
-      it 'redirects to project page (format.html)' do
-        project = create(:project, :public)
+    context 'redirection from http://someproject.git' do
+      where(:user_type, :project_visibility, :expected_redirect) do
+        :anonymous | :public   | :redirect_to_project
+        :anonymous | :internal | :redirect_to_signup
+        :anonymous | :private  | :redirect_to_signup

-        get :show, params: { namespace_id: project.namespace, id: project }, format: :git
+        :signed_in | :public   | :redirect_to_project
+        :signed_in | :internal | :redirect_to_project
+        :signed_in | :private  | nil

-        expect(response).to have_gitlab_http_status(:found)
-        expect(response).to redirect_to(namespace_project_path)
+        :member | :public   | :redirect_to_project
+        :member | :internal | :redirect_to_project
+        :member | :private  | :redirect_to_project
+      end
+
+      with_them do
+        let(:redirect_to_signup) { new_user_session_path }
+        let(:redirect_to_project) { project_path(project) }
+
+        let(:expected_status) { expected_redirect ? :found : :not_found }
+
+        before do
+          project.update!(visibility: project_visibility.to_s)
+          project.team.add_user(user, :guest) if user_type == :member
+          sign_in(user) unless user_type == :anonymous
+        end
+
+        it 'returns the expected status' do
+          get :show, params: { namespace_id: project.namespace, id: project }, format: :git
+
+          expect(response).to have_gitlab_http_status(expected_status)
+          expect(response).to redirect_to(send(expected_redirect)) if expected_status == :found
+        end
      end
    end