Commit 344f7d39 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-id-forbid-public-cache-for-private-repos' into 'master'

Forbid public cache for private repos

See merge request gitlab-org/security/gitlab!1117
parents 5ba912a3 7ceb8f05
...@@ -21,7 +21,7 @@ class Projects::RawController < Projects::ApplicationController ...@@ -21,7 +21,7 @@ class Projects::RawController < Projects::ApplicationController
def show def show
@blob = @repository.blob_at(@ref, @path) @blob = @repository.blob_at(@ref, @path)
send_blob(@repository, @blob, inline: (params[:inline] != 'false'), allow_caching: @project.public?) send_blob(@repository, @blob, inline: (params[:inline] != 'false'), allow_caching: Guest.can?(:download_code, @project))
end end
private private
......
...@@ -53,7 +53,7 @@ class Projects::RepositoriesController < Projects::ApplicationController ...@@ -53,7 +53,7 @@ class Projects::RepositoriesController < Projects::ApplicationController
end end
def set_cache_headers def set_cache_headers
expires_in cache_max_age(archive_metadata['CommitId']), public: project.public? expires_in cache_max_age(archive_metadata['CommitId']), public: Guest.can?(:download_code, project)
fresh_when(etag: archive_metadata['ArchivePath']) fresh_when(etag: archive_metadata['ArchivePath'])
end end
......
---
title: Forbid public cache for private repos
merge_request: 1117
author:
type: security
...@@ -250,6 +250,18 @@ RSpec.describe Projects::RawController do ...@@ -250,6 +250,18 @@ RSpec.describe Projects::RawController do
expect(response.cache_control[:no_store]).to be_nil expect(response.cache_control[:no_store]).to be_nil
end end
context 'when a public project has private repo' do
let(:project) { create(:project, :public, :repository, :repository_private) }
let(:user) { create(:user, maintainer_projects: [project]) }
it 'does not set public caching header' do
sign_in user
request_file
expect(response.header['Cache-Control']).to include('max-age=60, private')
end
end
context 'when If-None-Match header is set' do context 'when If-None-Match header is set' do
it 'returns a 304 status' do it 'returns a 304 status' do
request_file request_file
......
...@@ -137,6 +137,18 @@ RSpec.describe Projects::RepositoriesController do ...@@ -137,6 +137,18 @@ RSpec.describe Projects::RepositoriesController do
expect(response.header['ETag']).to be_present expect(response.header['ETag']).to be_present
expect(response.header['Cache-Control']).to include('max-age=60, public') expect(response.header['Cache-Control']).to include('max-age=60, public')
end end
context 'and repo is private' do
let(:project) { create(:project, :repository, :public, :repository_private) }
it 'sets appropriate caching headers' do
get_archive
expect(response).to have_gitlab_http_status(:ok)
expect(response.header['ETag']).to be_present
expect(response.header['Cache-Control']).to include('max-age=60, private')
end
end
end end
context 'when ref is a commit SHA' do context 'when ref is a commit SHA' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment