Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
948e6e90
Commit
948e6e90
authored
Sep 06, 2019
by
George Koltsov
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Do not create projects from group template if project is not descendant of that group
parent
0f33bdad
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
34 additions
and
1 deletion
+34
-1
ee/app/services/ee/projects/create_from_template_service.rb
ee/app/services/ee/projects/create_from_template_service.rb
+20
-1
ee/changelogs/unreleased/security-project-from-template-vuln.yml
...gelogs/unreleased/security-project-from-template-vuln.yml
+6
-0
ee/spec/services/projects/create_from_template_service_spec.rb
...ec/services/projects/create_from_template_service_spec.rb
+8
-0
No files found.
ee/app/services/ee/projects/create_from_template_service.rb
View file @
948e6e90
...
@@ -10,6 +10,11 @@ module EE
...
@@ -10,6 +10,11 @@ module EE
def
execute
def
execute
return
super
unless
use_custom_template?
return
super
unless
use_custom_template?
if
subgroup_id
&&
!
valid_project_namespace?
project
.
errors
.
add
(
:namespace
,
_
(
"is not a descendant of the Group owning the template"
))
return
project
end
override_params
=
params
.
dup
override_params
=
params
.
dup
params
[
:custom_template
]
=
template_project
if
template_project
params
[
:custom_template
]
=
template_project
if
template_project
...
@@ -34,7 +39,21 @@ module EE
...
@@ -34,7 +39,21 @@ module EE
end
end
def
subgroup_id
def
subgroup_id
params
[
:group_with_project_templates_id
].
presence
@subgroup_id
||=
params
.
delete
(
:group_with_project_templates_id
).
presence
end
# rubocop: disable CodeReuse/ActiveRecord
def
valid_project_namespace?
templates_owner
=
::
Group
.
find
(
subgroup_id
).
parent
return
false
unless
templates_owner
templates_owner
.
self_and_descendants
.
exists?
(
id:
project
.
namespace_id
)
end
# rubocop: enable CodeReuse/ActiveRecord
def
project
@project
||=
::
Project
.
new
(
namespace_id:
params
[
:namespace_id
])
end
end
end
end
end
end
...
...
ee/changelogs/unreleased/security-project-from-template-vuln.yml
0 → 100644
View file @
948e6e90
---
title
:
Do not allow creation of projects from group templates if project is not descendant
of that group
merge_request
:
author
:
type
:
security
ee/spec/services/projects/create_from_template_service_spec.rb
View file @
948e6e90
...
@@ -160,6 +160,14 @@ describe Projects::CreateFromTemplateService do
...
@@ -160,6 +160,14 @@ describe Projects::CreateFromTemplateService do
it_behaves_like
'a project that isn\'t persisted'
it_behaves_like
'a project that isn\'t persisted'
end
end
context
'when project is created outside of group hierarchy'
do
let
(
:user
)
{
create
(
:user
)
}
let
(
:project
)
{
create
(
:project
,
:public
,
namespace:
user
.
namespace
)
}
let
(
:namespace_id
)
{
user
.
namespace_id
}
it_behaves_like
'a project that isn\'t persisted'
end
end
end
context
'when the namespace is inside the hierarchy of the Group owning the template'
do
context
'when the namespace is inside the hierarchy of the Group owning the template'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
