Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
35a597d1
Commit
35a597d1
authored
Aug 21, 2019
by
drew cimino
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Restrict MergeRequests#test_reports to authenticated users with read-access on Builds
parent
2369e488
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
64 additions
and
8 deletions
+64
-8
app/controllers/projects/merge_requests_controller.rb
app/controllers/projects/merge_requests_controller.rb
+6
-0
changelogs/unreleased/security-ci-metrics-permissions.yml
changelogs/unreleased/security-ci-metrics-permissions.yml
+6
-0
spec/controllers/projects/merge_requests_controller_spec.rb
spec/controllers/projects/merge_requests_controller_spec.rb
+52
-8
No files found.
app/controllers/projects/merge_requests_controller.rb
View file @
35a597d1
...
...
@@ -12,6 +12,7 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
skip_before_action
:merge_request
,
only:
[
:index
,
:bulk_update
]
before_action
:whitelist_query_limiting
,
only:
[
:assign_related_issues
,
:update
]
before_action
:authorize_update_issuable!
,
only:
[
:close
,
:edit
,
:update
,
:remove_wip
,
:sort
]
before_action
:authorize_test_reports!
,
only:
[
:test_reports
]
before_action
:set_issuables_index
,
only:
[
:index
]
before_action
:authenticate_user!
,
only:
[
:assign_related_issues
]
before_action
:check_user_can_push_to_source_branch!
,
only:
[
:rebase
]
...
...
@@ -336,6 +337,11 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
render
json:
{
status_reason:
'Unknown error'
},
status: :internal_server_error
end
end
def
authorize_test_reports!
# MergeRequest#actual_head_pipeline is the pipeline accessed in MergeRequest#compare_reports.
return
render_404
unless
can?
(
current_user
,
:read_build
,
merge_request
.
actual_head_pipeline
)
end
end
Projects
::
MergeRequestsController
.
prepend_if_ee
(
'EE::Projects::MergeRequestsController'
)
changelogs/unreleased/security-ci-metrics-permissions.yml
0 → 100644
View file @
35a597d1
---
title
:
Restrict MergeRequests#test_reports to authenticated users with read-access
on Builds
merge_request
:
author
:
type
:
security
spec/controllers/projects/merge_requests_controller_spec.rb
View file @
35a597d1
...
...
@@ -719,19 +719,63 @@ describe Projects::MergeRequestsController do
end
describe
'GET test_reports'
do
let
(
:merge_request
)
do
create
(
:merge_request
,
:with_diffs
,
:with_merge_request_pipeline
,
target_project:
project
,
source_project:
project
)
end
subject
do
get
:test_reports
,
params:
{
namespace_id:
project
.
namespace
.
to_param
,
project_id:
project
,
id:
merge_request
.
iid
},
format: :json
get
:test_reports
,
params:
{
namespace_id:
project
.
namespace
.
to_param
,
project_id:
project
,
id:
merge_request
.
iid
},
format: :json
end
before
do
allow_any_instance_of
(
MergeRequest
)
.
to
receive
(
:compare_test_reports
).
and_return
(
comparison_status
)
.
to
receive
(
:compare_test_reports
)
.
and_return
(
comparison_status
)
allow_any_instance_of
(
MergeRequest
)
.
to
receive
(
:actual_head_pipeline
)
.
and_return
(
merge_request
.
all_pipelines
.
take
)
end
describe
'permissions on a public project with private CI/CD'
do
let
(
:project
)
{
create
:project
,
:repository
,
:public
,
:builds_private
}
let
(
:comparison_status
)
{
{
status: :parsed
,
data:
{
summary:
1
}
}
}
context
'while signed out'
do
before
do
sign_out
(
user
)
end
it
'responds with a 404'
do
subject
expect
(
response
).
to
have_gitlab_http_status
(
404
)
expect
(
response
.
body
).
to
be_blank
end
end
context
'while signed in as an unrelated user'
do
before
do
sign_in
(
create
(
:user
))
end
it
'responds with a 404'
do
subject
expect
(
response
).
to
have_gitlab_http_status
(
404
)
expect
(
response
.
body
).
to
be_blank
end
end
end
context
'when comparison is being processed'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment