Prevent Releases links API to leak tag existance

d5c858cd · Alessio Caiazza · a6794a27 · d5c858cd · d5c858cd · d5c858cd
Commit d5c858cd authored Feb 08, 2019 by Alessio Caiazza
3 changed files
--- a/changelogs/unreleased/security-tags-oracle.yml
+++ b/changelogs/unreleased/security-tags-oracle.yml
+---
+title: Prevent releases links API to leak tag existance
+merge_request:
+author:
+type: security
--- a/lib/api/release/links.rb
+++ b/lib/api/release/links.rb
@@ -8,6 +8,8 @@ module API
      RELEASE_ENDPOINT_REQUIREMETS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS
        .merge(tag_name: API::NO_SLASH_URL_PART_REGEX)

+      before { authorize! :read_release, user_project }
+
      params do
        requires :id, type: String, desc: 'The ID of a project'
      end

--- a/spec/requests/api/release/links_spec.rb
+++ b/spec/requests/api/release/links_spec.rb
@@ -73,6 +73,22 @@ describe API::Release::Links do
          expect(response).to have_gitlab_http_status(:ok)
        end
      end
+
+      context 'when project is public and the repository is private' do
+        let(:project) { create(:project, :repository, :public, :repository_private) }
+
+        it_behaves_like '403 response' do
+          let(:request) { get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member) }
+        end
+
+        context 'when the release does not exists' do
+          let!(:release) { }
+
+          it_behaves_like '403 response' do
+            let(:request) { get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member) }
+          end
+        end
+      end
    end
  end