[security] Fix markdown API disclosing issue titles of limited projects

Merge branch 'security-markdown-api-issue-title-14-10' into '14-10-stable-ee' See merge request gitlab-org/security/gitlab!2407 Changelog: security

[security] Fix markdown API disclosing issue titles of limited projects
Merge branch 'security-markdown-api-issue-title-14-10' into '14-10-stable-ee' See merge request gitlab-org/security/gitlab!2407 Changelog: security
66088697 · Brett Walker · GitLab Release Tools Bot · 0a0775a3 · 66088697 · 66088697
Commit 66088697 authored Apr 29, 2022 by Brett Walker Committed by GitLab Release Tools Bot Apr 29, 2022
4 changed files
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -640,7 +640,8 @@ class Issue < ApplicationRecord

  # Returns `true` if this Issue is visible to everybody.
  def publicly_visible?
-    project.public? && !confidential? && !hidden? && !::Gitlab::ExternalAuthorization.enabled?
+    project.public? && project.feature_available?(:issues, nil) &&
+      !confidential? && !hidden? && !::Gitlab::ExternalAuthorization.enabled?
  end

  def expire_etag_cache

--- a/app/models/project_feature.rb
+++ b/app/models/project_feature.rb
@@ -105,7 +105,7 @@ class ProjectFeature < ApplicationRecord
  # that the user has access to the feature. It's important to use this scope with others
  # that checks project authorizations first (e.g. `filter_by_feature_visibility`).
  #
-  # This method uses an optimised version of `with_feature_access_level` for
+  # This method uses an optimized version of `with_feature_access_level` for
  # logged in users to more efficiently get private projects with the given
  # feature.
  def self.with_feature_available_for_user(feature, user)

--- a/spec/models/issue_spec.rb
+++ b/spec/models/issue_spec.rb
@@ -742,14 +742,15 @@ RSpec.describe Issue do

  describe '#participants' do
    context 'using a public project' do
-      let_it_be(:issue) { create(:issue, project: reusable_project) }
+      let_it_be(:public_project) { create(:project, :public) }
+      let_it_be(:issue) { create(:issue, project: public_project) }

      let!(:note1) do
-        create(:note_on_issue, noteable: issue, project: reusable_project, note: 'a')
+        create(:note_on_issue, noteable: issue, project: public_project, note: 'a')
      end

      let!(:note2) do
-        create(:note_on_issue, noteable: issue, project: reusable_project, note: 'b')
+        create(:note_on_issue, noteable: issue, project: public_project, note: 'b')
      end

      it 'includes the issue author' do
@@ -819,20 +820,35 @@ RSpec.describe Issue do
    context 'without a user' do
      let(:user) { nil }

-      before do
-        project.project_feature.update_attribute(:issues_access_level, ProjectFeature::PUBLIC)
-      end
+      context 'with issue available as public' do
+        before do
+          project.project_feature.update_attribute(:issues_access_level, ProjectFeature::PUBLIC)
+        end
+
+        it 'returns true when the issue is publicly visible' do
+          expect(issue).to receive(:publicly_visible?).and_return(true)
+
+          is_expected.to eq(true)
+        end

-      it 'returns true when the issue is publicly visible' do
-        expect(issue).to receive(:publicly_visible?).and_return(true)
+        it 'returns false when the issue is not publicly visible' do
+          expect(issue).to receive(:publicly_visible?).and_return(false)

-        is_expected.to eq(true)
+          is_expected.to eq(false)
+        end
      end

-      it 'returns false when the issue is not publicly visible' do
-        expect(issue).to receive(:publicly_visible?).and_return(false)
+      context 'with issues available only to team members in a public project' do
+        let(:public_project) { create(:project, :public) }
+        let(:issue) { build(:issue, project: public_project) }

-        is_expected.to eq(false)
+        before do
+          public_project.project_feature.update_attribute(:issues_access_level, ProjectFeature::PRIVATE)
+        end
+
+        it 'returns false' do
+          is_expected.to eq(false)
+        end
      end
    end


--- a/spec/requests/api/markdown_spec.rb
+++ b/spec/requests/api/markdown_spec.rb
@@ -156,6 +156,46 @@ RSpec.describe API::Markdown do
            end
          end
        end
+
+        context 'with a public project and issues only for team members' do
+          let(:public_project) do
+            create(:project, :public).tap do |project|
+              project.project_feature.update_attribute(:issues_access_level, ProjectFeature::PRIVATE)
+            end
+          end
+
+          let(:issue)  { create(:issue, project: public_project, title: 'Team only title') }
+          let(:text)   { "#{issue.to_reference}" }
+          let(:params) { { text: text, gfm: true, project: public_project.full_path } }
+
+          shared_examples 'user without proper access' do
+            it 'does not render the title' do
+              expect(response).to have_gitlab_http_status(:created)
+              expect(json_response["html"]).not_to include('Team only title')
+            end
+          end
+
+          context 'when not logged in' do
+            let(:user) { }
+
+            it_behaves_like 'user without proper access'
+          end
+
+          context 'when logged in as user without access' do
+            let(:user) { create(:user) }
+
+            it_behaves_like 'user without proper access'
+          end
+
+          context 'when logged in as author' do
+            let(:user) { issue.author }
+
+            it 'renders the title or link' do
+              expect(response).to have_gitlab_http_status(:created)
+              expect(json_response["html"]).to include('Team only title')
+            end
+          end
+        end
      end
    end
  end