Check permissions before showing head pipeline blocking merge requests

d537d230 · Nick Thomas · Yorick Peterse · fd34cc48 · d537d230 · d537d230
Commit d537d230 authored Sep 19, 2019 by Nick Thomas Committed by Yorick Peterse Sep 30, 2019
3 changed files
--- a/changelogs/unreleased/security-13338-fix-head-pipeline-leak.yml
+++ b/changelogs/unreleased/security-13338-fix-head-pipeline-leak.yml
+---
+title: Check permissions before showing head pipeline blocking merge requests
+merge_request:
+author:
+type: security
--- a/ee/app/serializers/blocking_merge_request_entity.rb
+++ b/ee/app/serializers/blocking_merge_request_entity.rb
@@ -20,7 +20,10 @@ class BlockingMergeRequestEntity < Grape::Entity
    merge_request_path(blocking_mr)
  end

-  expose :head_pipeline, using: ::API::Entities::Pipeline
+  expose :head_pipeline,
+         if: -> (_, _) { can_read_head_pipeline? },
+         using: ::API::Entities::Pipeline
+
  expose :assignees, using: ::API::Entities::UserBasic
  expose :milestone, using: ::API::Entities::Milestone
  expose :created_at
@@ -28,4 +31,10 @@ class BlockingMergeRequestEntity < Grape::Entity
  expose :closed_at do |blocking_mr|
    blocking_mr.metrics.latest_closed_at
  end
+
+  private
+
+  def can_read_head_pipeline?
+    can?(request.current_user, :read_pipeline, object.head_pipeline)
+  end
 end
--- a/ee/spec/serializers/blocking_merge_request_entity_spec.rb
+++ b/ee/spec/serializers/blocking_merge_request_entity_spec.rb
@@ -3,10 +3,11 @@
 require 'spec_helper'

 describe BlockingMergeRequestEntity do
-  set(:merge_request) { create(:merge_request) }
-  set(:user) { create(:user) }
+  let(:merge_request) { create(:merge_request) }
+  let(:project) { merge_request.target_project }
+  let(:user) { create(:user) }

-  let(:web_url) { Gitlab::Routing.url_helpers.project_merge_request_path(merge_request.project, merge_request) }
+  let(:web_url) { Gitlab::Routing.url_helpers.project_merge_request_path(project, merge_request) }
  let(:request) { double('request', current_user: user) }
  let(:extra_options) { {} }

@@ -28,6 +29,26 @@ describe BlockingMergeRequestEntity do
    )
  end

+  describe '#head_pipeline' do
+    subject { entity.as_json[:head_pipeline] }
+
+    before do
+      merge_request.head_pipeline = create(:ci_pipeline, project: project)
+    end
+
+    context 'visible pipeline' do
+      before do
+        project.team.add_developer(user)
+      end
+
+      it { is_expected.to include(id: merge_request.head_pipeline.id) }
+    end
+
+    context 'hidden pipeline' do
+      it { is_expected.to be_nil }
+    end
+  end
+
  describe '#reference' do
    let(:other_project) { create(:project) }