Commit 2f8d8dca authored by GitLab Bot's avatar GitLab Bot

Add latest changes from gitlab-org/security/gitlab@13-4-stable-ee

parent 4d243f5c
...@@ -9,7 +9,7 @@ module Mutations ...@@ -9,7 +9,7 @@ module Mutations
# This method is defined here in order to be used by `authorized_find!` in the subclasses. # This method is defined here in order to be used by `authorized_find!` in the subclasses.
def find_object(id:) def find_object(id:)
GitlabSchema.object_from_id(id) GitlabSchema.object_from_id(id, expected_type: ::Metrics::Dashboard::Annotation)
end end
end end
end end
......
...@@ -7,6 +7,11 @@ module Members ...@@ -7,6 +7,11 @@ module Members
def initialize(current_user = nil, params = {}) def initialize(current_user = nil, params = {})
@current_user = current_user @current_user = current_user
@params = params @params = params
# could be a string, force to an integer, part of fix
# https://gitlab.com/gitlab-org/gitlab/-/issues/219496
# Allow the ArgumentError to be raised if it can't be converted to an integer.
@params[:access_level] = Integer(@params[:access_level]) if @params[:access_level]
end end
def after_execute(args) def after_execute(args)
......
...@@ -52,7 +52,14 @@ module Todos ...@@ -52,7 +52,14 @@ module Todos
# rubocop: disable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord
def remove_project_todos def remove_project_todos
Todo.where(project_id: non_authorized_projects, user_id: user.id).delete_all # Issues are viewable by guests (even in private projects), so remove those todos
# from projects without guest access
Todo.where(project_id: non_authorized_guest_projects, user_id: user.id)
.delete_all
# MRs require reporter access, so remove those todos that are not authorized
Todo.where(project_id: non_authorized_reporter_projects, target_type: MergeRequest.name, user_id: user.id)
.delete_all
end end
# rubocop: enable CodeReuse/ActiveRecord # rubocop: enable CodeReuse/ActiveRecord
...@@ -68,7 +75,7 @@ module Todos ...@@ -68,7 +75,7 @@ module Todos
when Project when Project
{ id: entity.id } { id: entity.id }
when Namespace when Namespace
{ namespace_id: non_member_groups } { namespace_id: non_authorized_reporter_groups }
end end
Project.where(condition) Project.where(condition)
...@@ -76,8 +83,32 @@ module Todos ...@@ -76,8 +83,32 @@ module Todos
# rubocop: enable CodeReuse/ActiveRecord # rubocop: enable CodeReuse/ActiveRecord
# rubocop: disable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord
def non_authorized_projects def authorized_reporter_projects
projects.where('id NOT IN (?)', user.authorized_projects.select(:id)) user.authorized_projects(Gitlab::Access::REPORTER).select(:id)
end
# rubocop: enable CodeReuse/ActiveRecord
# rubocop: disable CodeReuse/ActiveRecord
def authorized_guest_projects
user.authorized_projects(Gitlab::Access::GUEST).select(:id)
end
# rubocop: enable CodeReuse/ActiveRecord
# rubocop: disable CodeReuse/ActiveRecord
def non_authorized_reporter_projects
projects.where('id NOT IN (?)', authorized_reporter_projects)
end
# rubocop: enable CodeReuse/ActiveRecord
# rubocop: disable CodeReuse/ActiveRecord
def non_authorized_guest_projects
projects.where('id NOT IN (?)', authorized_guest_projects)
end
# rubocop: enable CodeReuse/ActiveRecord
# rubocop: disable CodeReuse/ActiveRecord
def authorized_reporter_groups
GroupsFinder.new(user, min_access_level: Gitlab::Access::REPORTER).execute.select(:id)
end end
# rubocop: enable CodeReuse/ActiveRecord # rubocop: enable CodeReuse/ActiveRecord
...@@ -91,9 +122,9 @@ module Todos ...@@ -91,9 +122,9 @@ module Todos
# rubocop: enable CodeReuse/ActiveRecord # rubocop: enable CodeReuse/ActiveRecord
# rubocop: disable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord
def non_member_groups def non_authorized_reporter_groups
entity.self_and_descendants.select(:id) entity.self_and_descendants.select(:id)
.where('id NOT IN (?)', user.membership_groups.select(:id)) .where('id NOT IN (?)', authorized_reporter_groups)
end end
# rubocop: enable CodeReuse/ActiveRecord # rubocop: enable CodeReuse/ActiveRecord
...@@ -106,8 +137,6 @@ module Todos ...@@ -106,8 +137,6 @@ module Todos
# rubocop: disable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord
def confidential_issues def confidential_issues
assigned_ids = IssueAssignee.select(:issue_id).where(user_id: user.id) assigned_ids = IssueAssignee.select(:issue_id).where(user_id: user.id)
authorized_reporter_projects = user
.authorized_projects(Gitlab::Access::REPORTER).select(:id)
Issue.where(project_id: projects, confidential: true) Issue.where(project_id: projects, confidential: true)
.where('project_id NOT IN(?)', authorized_reporter_projects) .where('project_id NOT IN(?)', authorized_reporter_projects)
......
---
title: Ensure global ID is of Annotation type in GraphQL destroy mutation
merge_request:
author:
type: security
---
title: Fix redaction of confidential Todos
merge_request:
author:
type: security
...@@ -9,13 +9,9 @@ RSpec.describe Mutations::Metrics::Dashboard::Annotations::Delete do ...@@ -9,13 +9,9 @@ RSpec.describe Mutations::Metrics::Dashboard::Annotations::Delete do
let_it_be(:project) { create(:project, :private, :repository) } let_it_be(:project) { create(:project, :private, :repository) }
let_it_be(:environment) { create(:environment, project: project) } let_it_be(:environment) { create(:environment, project: project) }
let_it_be(:annotation) { create(:metrics_dashboard_annotation, environment: environment) } let_it_be(:annotation) { create(:metrics_dashboard_annotation, environment: environment) }
let(:mutation) do
variables = {
id: GitlabSchema.id_from_object(annotation).to_s
}
graphql_mutation(:delete_annotation, variables) let(:variables) { { id: GitlabSchema.id_from_object(annotation).to_s } }
end let(:mutation) { graphql_mutation(:delete_annotation, variables) }
def mutation_response def mutation_response
graphql_mutation_response(:delete_annotation) graphql_mutation_response(:delete_annotation)
...@@ -37,15 +33,11 @@ RSpec.describe Mutations::Metrics::Dashboard::Annotations::Delete do ...@@ -37,15 +33,11 @@ RSpec.describe Mutations::Metrics::Dashboard::Annotations::Delete do
end end
context 'with invalid params' do context 'with invalid params' do
let(:mutation) do let(:variables) { { id: GitlabSchema.id_from_object(project).to_s } }
variables = {
id: 'invalid_id'
}
graphql_mutation(:delete_annotation, variables) it_behaves_like 'a mutation that returns top-level errors' do
let(:match_errors) { eq(["#{variables[:id]} is not a valid ID for #{annotation.class}."]) }
end end
it_behaves_like 'a mutation that returns top-level errors', errors: ['invalid_id is not a valid GitLab ID.']
end end
context 'when the delete fails' do context 'when the delete fails' do
......
...@@ -31,11 +31,8 @@ RSpec.describe Members::UpdateService do ...@@ -31,11 +31,8 @@ RSpec.describe Members::UpdateService do
end end
context 'when member is downgraded to guest' do context 'when member is downgraded to guest' do
let(:params) do shared_examples 'schedules to delete confidential todos' do
{ access_level: Gitlab::Access::GUEST } it do
end
it 'schedules to delete confidential todos' do
expect(TodosDestroyer::EntityLeaveWorker).to receive(:perform_in).with(Todo::WAIT_FOR_DELETE, member.user_id, member.source_id, source.class.name).once expect(TodosDestroyer::EntityLeaveWorker).to receive(:perform_in).with(Todo::WAIT_FOR_DELETE, member.user_id, member.source_id, source.class.name).once
updated_member = described_class.new(current_user, params).execute(member, permission: permission) updated_member = described_class.new(current_user, params).execute(member, permission: permission)
...@@ -44,6 +41,27 @@ RSpec.describe Members::UpdateService do ...@@ -44,6 +41,27 @@ RSpec.describe Members::UpdateService do
expect(updated_member.access_level).to eq(Gitlab::Access::GUEST) expect(updated_member.access_level).to eq(Gitlab::Access::GUEST)
end end
end end
context 'with Gitlab::Access::GUEST level as a string' do
let(:params) { { access_level: Gitlab::Access::GUEST.to_s } }
it_behaves_like 'schedules to delete confidential todos'
end
context 'with Gitlab::Access::GUEST level as an integer' do
let(:params) { { access_level: Gitlab::Access::GUEST } }
it_behaves_like 'schedules to delete confidential todos'
end
end
context 'when access_level is invalid' do
let(:params) { { access_level: 'invalid' } }
it 'raises an error' do
expect { described_class.new(current_user, params) }.to raise_error(ArgumentError, 'invalid value for Integer(): "invalid"')
end
end
end end
before do before do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment