Commit 71f389d3 authored by Robert Speicher's avatar Robert Speicher

Merge branch 'master' of dev.gitlab.org:gitlab/gitlab-ee

parents 46de7e6b 1337490c
Please view this file on the master branch, on stable branches it's out of date. Please view this file on the master branch, on stable branches it's out of date.
## 12.2.5
### Security (1 change)
- Do not allow creation of projects from group templates if project is not descendant of that group.
## 12.2.4 ## 12.2.4
### Fixed (1 change) ### Fixed (1 change)
......
...@@ -2,6 +2,13 @@ ...@@ -2,6 +2,13 @@
documentation](doc/development/changelog.md) for instructions on adding your own documentation](doc/development/changelog.md) for instructions on adding your own
entry. entry.
## 12.2.5
### Security (1 change)
- Upgrade pages to 1.7.2.
## 12.2.4 ## 12.2.4
### Fixed (7 changes) ### Fixed (7 changes)
......
---
title: Upgrade pages to 1.8.1
merge_request:
author:
type: security
...@@ -10,6 +10,11 @@ module EE ...@@ -10,6 +10,11 @@ module EE
def execute def execute
return super unless use_custom_template? return super unless use_custom_template?
if subgroup_id && !valid_project_namespace?
project.errors.add(:namespace, _("is not a descendant of the Group owning the template"))
return project
end
override_params = params.dup override_params = params.dup
params[:custom_template] = template_project if template_project params[:custom_template] = template_project if template_project
...@@ -34,7 +39,21 @@ module EE ...@@ -34,7 +39,21 @@ module EE
end end
def subgroup_id def subgroup_id
params[:group_with_project_templates_id].presence @subgroup_id ||= params.delete(:group_with_project_templates_id).presence
end
# rubocop: disable CodeReuse/ActiveRecord
def valid_project_namespace?
templates_owner = ::Group.find(subgroup_id).parent
return false unless templates_owner
templates_owner.self_and_descendants.exists?(id: project.namespace_id)
end
# rubocop: enable CodeReuse/ActiveRecord
def project
@project ||= ::Project.new(namespace_id: params[:namespace_id])
end end
end end
end end
......
---
title: Do not allow creation of projects from group templates if project is not descendant
of that group
merge_request:
author:
type: security
...@@ -160,6 +160,14 @@ describe Projects::CreateFromTemplateService do ...@@ -160,6 +160,14 @@ describe Projects::CreateFromTemplateService do
it_behaves_like 'a project that isn\'t persisted' it_behaves_like 'a project that isn\'t persisted'
end end
context 'when project is created outside of group hierarchy' do
let(:user) { create(:user) }
let(:project) { create(:project, :public, namespace: user.namespace) }
let(:namespace_id) { user.namespace_id }
it_behaves_like 'a project that isn\'t persisted'
end
end end
context 'when the namespace is inside the hierarchy of the Group owning the template' do context 'when the namespace is inside the hierarchy of the Group owning the template' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment