Merge remote-tracking branch 'dev/security-2873-restrict-slash-commands-to-users-who-can-log-in'

2b2efbc6 · John T Skarbek · affa81eb · 7b52cff4 · 2b2efbc6 · 2b2efbc6
Commit 2b2efbc6 authored Aug 14, 2019 by John T Skarbek
5 changed files
--- a/app/models/project_services/slash_commands_service.rb
+++ b/app/models/project_services/slash_commands_service.rb
@@ -35,6 +35,8 @@ class SlashCommandsService < Service
    chat_user = find_chat_user(params)

    if chat_user&.user
+      return Gitlab::SlashCommands::Presenters::Access.new.access_denied unless chat_user.user.can?(:use_slash_commands)
+
      Gitlab::SlashCommands::Command.new(project, chat_user, params).execute
    else
      url = authorize_chat_name_url(params)

--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -33,6 +33,7 @@ class GlobalPolicy < BasePolicy
    enable :access_git
    enable :receive_notifications
    enable :use_quick_actions
+    enable :use_slash_commands
  end

  rule { blocked | internal }.policy do
@@ -40,6 +41,7 @@ class GlobalPolicy < BasePolicy
    prevent :access_api
    prevent :access_git
    prevent :receive_notifications
+    prevent :use_slash_commands
  end

  rule { required_terms_not_accepted }.policy do
@@ -57,6 +59,7 @@ class GlobalPolicy < BasePolicy

  rule { access_locked }.policy do
    prevent :log_in
+    prevent :use_slash_commands
  end

  rule { ~(anonymous & restricted_public_level) }.policy do

--- a/changelogs/unreleased/security-2873-blocked-user-slash-command-bypass-master.yml
+++ b/changelogs/unreleased/security-2873-blocked-user-slash-command-bypass-master.yml
+---
+title: Restrict slash commands to users who can log in
+merge_request:
+author:
+type: security
--- a/spec/policies/global_policy_spec.rb
+++ b/spec/policies/global_policy_spec.rb
@@ -226,4 +226,32 @@ describe GlobalPolicy do
      it { is_expected.not_to be_allowed(:read_instance_statistics) }
    end
  end
+
+  describe 'slash commands' do
+    context 'regular user' do
+      it { is_expected.to be_allowed(:use_slash_commands) }
+    end
+
+    context 'when internal' do
+      let(:current_user) { User.ghost }
+
+      it { is_expected.not_to be_allowed(:use_slash_commands) }
+    end
+
+    context 'when blocked' do
+      before do
+        current_user.block
+      end
+
+      it { is_expected.not_to be_allowed(:use_slash_commands) }
+    end
+
+    context 'when access locked' do
+      before do
+        current_user.lock_access!
+      end
+
+      it { is_expected.not_to be_allowed(:use_slash_commands) }
+    end
+  end
 end
--- a/spec/support/shared_examples/chat_slash_commands_shared_examples.rb
+++ b/spec/support/shared_examples/chat_slash_commands_shared_examples.rb
@@ -93,6 +93,19 @@ RSpec.shared_examples 'chat slash commands service' do

          subject.trigger(params)
        end
+
+        context 'when user is blocked' do
+          before do
+            chat_name.user.block
+          end
+
+          it 'blocks command execution' do
+            expect_any_instance_of(Gitlab::SlashCommands::Command).not_to receive(:execute)
+
+            result = subject.trigger(params)
+            expect(result).to include(text: /^Whoops! This action is not allowed/)
+          end
+        end
      end
    end
  end