Merge branch 'security-fix-bitbucket-bypass' into 'master'

Bypass Disabled Bitbucket Server import source Project Creation

See merge request gitlab-org/security/gitlab!1745

lib/api/import_bitbucket_server.rb

@@ -4,6 +4,10 @@ module API
   class ImportBitbucketServer < ::API::Base
     feature_category :importers
 
+    before do
+      forbidden! unless Gitlab::CurrentSettings.import_sources&.include?('bitbucket_server')
+    end
+
     helpers do
       def client
         @client ||= BitbucketServer::Client.new(credentials)

spec/requests/api/import_bitbucket_server_spec.rb

@@ -28,6 +28,20 @@ RSpec.describe API::ImportBitbucketServer do
         Grape::Endpoint.before_each nil
       end
 
+      it 'rejects requests when Bitbucket Server Importer is disabled' do
+        stub_application_setting(import_sources: nil)
+
+        post api("/import/bitbucket_server", user), params: {
+          bitbucket_server_url: base_uri,
+          bitbucket_server_username: user,
+          personal_access_token: token,
+          bitbucket_server_project: project_key,
+          bitbucket_server_repo: repo_slug
+        }
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+
       it 'returns 201 response when the project is imported successfully' do
         allow(Gitlab::BitbucketServerImport::ProjectCreator)
           .to receive(:new).with(project_key, repo_slug, anything, repo_slug, user.namespace, user, anything)