Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
71f389d3
Commit
71f389d3
authored
Sep 10, 2019
by
Robert Speicher
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'master' of dev.gitlab.org:gitlab/gitlab-ee
parents
46de7e6b
1337490c
Changes
7
Show whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
54 additions
and
2 deletions
+54
-2
CHANGELOG-EE.md
CHANGELOG-EE.md
+7
-0
CHANGELOG.md
CHANGELOG.md
+7
-0
GITLAB_PAGES_VERSION
GITLAB_PAGES_VERSION
+1
-1
changelogs/unreleased/security-12-3-bump-pages.yml
changelogs/unreleased/security-12-3-bump-pages.yml
+5
-0
ee/app/services/ee/projects/create_from_template_service.rb
ee/app/services/ee/projects/create_from_template_service.rb
+20
-1
ee/changelogs/unreleased/security-project-from-template-vuln.yml
...gelogs/unreleased/security-project-from-template-vuln.yml
+6
-0
ee/spec/services/projects/create_from_template_service_spec.rb
...ec/services/projects/create_from_template_service_spec.rb
+8
-0
No files found.
CHANGELOG-EE.md
View file @
71f389d3
Please view this file on the master branch, on stable branches it's out of date.
## 12.2.5
### Security (1 change)
-
Do not allow creation of projects from group templates if project is not descendant of that group.
## 12.2.4
### Fixed (1 change)
...
...
CHANGELOG.md
View file @
71f389d3
...
...
@@ -2,6 +2,13 @@
documentation
](
doc/development/changelog.md
)
for instructions on adding your own
entry.
## 12.2.5
### Security (1 change)
-
Upgrade pages to 1.7.2.
## 12.2.4
### Fixed (7 changes)
...
...
GITLAB_PAGES_VERSION
View file @
71f389d3
1.8.
0
1.8.
1
changelogs/unreleased/security-12-3-bump-pages.yml
0 → 100644
View file @
71f389d3
---
title
:
Upgrade pages to 1.8.1
merge_request
:
author
:
type
:
security
ee/app/services/ee/projects/create_from_template_service.rb
View file @
71f389d3
...
...
@@ -10,6 +10,11 @@ module EE
def
execute
return
super
unless
use_custom_template?
if
subgroup_id
&&
!
valid_project_namespace?
project
.
errors
.
add
(
:namespace
,
_
(
"is not a descendant of the Group owning the template"
))
return
project
end
override_params
=
params
.
dup
params
[
:custom_template
]
=
template_project
if
template_project
...
...
@@ -34,7 +39,21 @@ module EE
end
def
subgroup_id
params
[
:group_with_project_templates_id
].
presence
@subgroup_id
||=
params
.
delete
(
:group_with_project_templates_id
).
presence
end
# rubocop: disable CodeReuse/ActiveRecord
def
valid_project_namespace?
templates_owner
=
::
Group
.
find
(
subgroup_id
).
parent
return
false
unless
templates_owner
templates_owner
.
self_and_descendants
.
exists?
(
id:
project
.
namespace_id
)
end
# rubocop: enable CodeReuse/ActiveRecord
def
project
@project
||=
::
Project
.
new
(
namespace_id:
params
[
:namespace_id
])
end
end
end
...
...
ee/changelogs/unreleased/security-project-from-template-vuln.yml
0 → 100644
View file @
71f389d3
---
title
:
Do not allow creation of projects from group templates if project is not descendant
of that group
merge_request
:
author
:
type
:
security
ee/spec/services/projects/create_from_template_service_spec.rb
View file @
71f389d3
...
...
@@ -160,6 +160,14 @@ describe Projects::CreateFromTemplateService do
it_behaves_like
'a project that isn\'t persisted'
end
context
'when project is created outside of group hierarchy'
do
let
(
:user
)
{
create
(
:user
)
}
let
(
:project
)
{
create
(
:project
,
:public
,
namespace:
user
.
namespace
)
}
let
(
:namespace_id
)
{
user
.
namespace_id
}
it_behaves_like
'a project that isn\'t persisted'
end
end
context
'when the namespace is inside the hierarchy of the Group owning the template'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment