Commit a818f0fc authored by Rémy Coutable's avatar Rémy Coutable Committed by Rémy Coutable

Merge branch 'fix-project-hook-delete-permissions' into 'master'

Prevent users from deleting Webhooks via API they do not own

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15576

See merge request !1959
Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
parent fb7b8265
...@@ -7,6 +7,7 @@ v 8.6.8 ...@@ -7,6 +7,7 @@ v 8.6.8
- Fix vulnerability that leaks private labels and milestones - Fix vulnerability that leaks private labels and milestones
- Prevent XSS with in label dropdown - Prevent XSS with in label dropdown
- Prevent privilege escalation via "impersonate" feature - Prevent privilege escalation via "impersonate" feature
- Prevent users from deleting Webhooks via API they do not own
- Prevent information disclosure via milestone API - Prevent information disclosure via milestone API
- Prevent information disclosure via snippet API - Prevent information disclosure via snippet API
- Prevent information disclosure via new merge request page - Prevent information disclosure via new merge request page
......
...@@ -103,10 +103,10 @@ module API ...@@ -103,10 +103,10 @@ module API
required_attributes! [:hook_id] required_attributes! [:hook_id]
begin begin
@hook = ProjectHook.find(params[:hook_id]) @hook = user_project.hooks.destroy(params[:hook_id])
@hook.destroy
rescue rescue
# ProjectHook can raise Error if hook_id not found # ProjectHook can raise Error if hook_id not found
not_found!("Error deleting hook #{params[:hook_id]}")
end end
end end
end end
......
...@@ -148,14 +148,24 @@ describe API::API, 'ProjectHooks', api: true do ...@@ -148,14 +148,24 @@ describe API::API, 'ProjectHooks', api: true do
expect(response.status).to eq(200) expect(response.status).to eq(200)
end end
it "should return success when deleting non existent hook" do it "should return a 404 error when deleting non existent hook" do
delete api("/projects/#{project.id}/hooks/42", user) delete api("/projects/#{project.id}/hooks/42", user)
expect(response.status).to eq(200) expect(response.status).to eq(404)
end end
it "should return a 405 error if hook id not given" do it "should return a 405 error if hook id not given" do
delete api("/projects/#{project.id}/hooks", user) delete api("/projects/#{project.id}/hooks", user)
expect(response.status).to eq(405) expect(response.status).to eq(405)
end end
it "shold return a 404 if a user attempts to delete project hooks he/she does not own" do
test_user = create(:user)
other_project = create(:project)
other_project.team << [test_user, :master]
delete api("/projects/#{other_project.id}/hooks/#{hook.id}", test_user)
expect(response.status).to eq(404)
expect(WebHook.exists?(hook.id)).to be_truthy
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment