Commit 8ed722bf authored by Oswaldo Ferreira's avatar Oswaldo Ferreira

Avoid leaking unauthorized approver group members

parent 3f14d2f4
---
title: Avoid leaking unauthorized approver group members
merge_request: 766
author:
type: security
...@@ -231,6 +231,12 @@ module EE ...@@ -231,6 +231,12 @@ module EE
end end
class MergeRequestApprovals < ::API::Entities::ProjectEntity class MergeRequestApprovals < ::API::Entities::ProjectEntity
def initialize(merge_request, options = {})
presenter = merge_request.present(current_user: options[:current_user])
super(presenter, options)
end
expose :merge_status expose :merge_status
expose :approvals_required expose :approvals_required
expose :approvals_left expose :approvals_left
......
...@@ -41,7 +41,7 @@ shared_examples 'approvals' do ...@@ -41,7 +41,7 @@ shared_examples 'approvals' do
describe 'approvals' do describe 'approvals' do
let!(:approval) { create(:approval, merge_request: merge_request, user: approver.user) } let!(:approval) { create(:approval, merge_request: merge_request, user: approver.user) }
before do def get_approvals
get :approvals, get :approvals,
params: { params: {
namespace_id: project.namespace.to_param, namespace_id: project.namespace.to_param,
...@@ -52,6 +52,8 @@ shared_examples 'approvals' do ...@@ -52,6 +52,8 @@ shared_examples 'approvals' do
end end
it 'shows approval information' do it 'shows approval information' do
get_approvals
approvals = json_response approvals = json_response
expect(response).to be_success expect(response).to be_success
...@@ -63,6 +65,23 @@ shared_examples 'approvals' do ...@@ -63,6 +65,23 @@ shared_examples 'approvals' do
expect(approvals['suggested_approvers'].size).to eq 1 expect(approvals['suggested_approvers'].size).to eq 1
expect(approvals['suggested_approvers'][0]['username']).to eq user.username expect(approvals['suggested_approvers'][0]['username']).to eq user.username
end end
context 'with unauthorized group' do
let(:private_group) { create(:group_with_members, :private) }
before do
create(:approver_group, target: merge_request, group: private_group)
end
it 'does not expose approvers from a private group the current user has no access to' do
get_approvals
approvals = json_response
expect(response).to be_success
expect(approvals['suggested_approvers'].size).to eq(0)
end
end
end end
describe 'unapprove' do describe 'unapprove' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment