Skip to content

G
gitlab-ce
Commit ed0d691e authored by Mark Chao's avatar Mark Chao
Browse files
Options

Block private snippets from being embeddable

parent 30c6db8f
Hide whitespace changes
Inline Side-by-side
Showing with 82 additions and 7 deletions
app/controllers/projects/snippets_controller.rb
View file @ ed0d691e
...@@ -75,7 +75,14 @@ class Projects::SnippetsController < Projects::ApplicationController ...@@ -75,7 +75,14 @@ class Projects::SnippetsController < Projects::ApplicationController
format.json do format.json do
render_blob_json(blob) render_blob_json(blob)
end end
format.js { render 'shared/snippets/show'}
format.js do
if @snippet.embeddable?
render 'shared/snippets/show'
else
head :not_found
end
end
end end
end end
......
app/controllers/snippets_controller.rb
View file @ ed0d691e
...@@ -80,7 +80,13 @@ class SnippetsController < ApplicationController ...@@ -80,7 +80,13 @@ class SnippetsController < ApplicationController
render_blob_json(blob) render_blob_json(blob)
end end
format.js { render 'shared/snippets/show' } format.js do
if @snippet.embeddable?
render 'shared/snippets/show'
else
head :not_found
end
end
end end
end end
......
app/models/snippet.rb
View file @ ed0d691e
...@@ -176,11 +176,9 @@ class Snippet < ActiveRecord::Base ...@@ -176,11 +176,9 @@ class Snippet < ActiveRecord::Base
end end
def embeddable? def embeddable?
if project_id? ability = project_id? ? :read_project_snippet : :read_personal_snippet
Ability.allowed?(nil, :read_project_snippet, self)
else Ability.allowed?(nil, ability, self)
Ability.allowed?(nil, :read_personal_snippet, self)
end
end end
def notes_with_associations def notes_with_associations
......
changelogs/unreleased/security-48259-private-snippet.yml 0 → 100644
View file @ ed0d691e
---
title: Prevent private snippets from being embeddable
merge_request:
author:
type: security
spec/controllers/projects/snippets_controller_spec.rb
View file @ ed0d691e
...@@ -379,6 +379,46 @@ describe Projects::SnippetsController do ...@@ -379,6 +379,46 @@ describe Projects::SnippetsController do
end end
end end
describe "GET #show for embeddable content" do
let(:project_snippet) { create(:project_snippet, snippet_permission, project: project, author: user) }
before do
sign_in(user)
get :show, namespace_id: project.namespace, project_id: project, id: project_snippet.to_param, format: :js
end
context 'when snippet is private' do
let(:snippet_permission) { :private }
it 'responds with status 404' do
expect(response).to have_gitlab_http_status(404)
end
end
context 'when snippet is public' do
let(:snippet_permission) { :public }
it 'responds with status 200' do
expect(assigns(:snippet)).to eq(project_snippet)
expect(response).to have_gitlab_http_status(200)
end
end
context 'when the project is private' do
let(:project) { create(:project_empty_repo, :private) }
context 'when snippet is public' do
let(:project_snippet) { create(:project_snippet, :public, project: project, author: user) }
it 'responds with status 404' do
expect(assigns(:snippet)).to eq(project_snippet)
expect(response).to have_gitlab_http_status(404)
end
end
end
end
describe 'GET #raw' do describe 'GET #raw' do
let(:project_snippet) do let(:project_snippet) do
create( create(
......
spec/controllers/snippets_controller_spec.rb
View file @ ed0d691e
...@@ -80,6 +80,12 @@ describe SnippetsController do ...@@ -80,6 +80,12 @@ describe SnippetsController do
expect(assigns(:snippet)).to eq(personal_snippet) expect(assigns(:snippet)).to eq(personal_snippet)
expect(response).to have_gitlab_http_status(200) expect(response).to have_gitlab_http_status(200)
end end
it 'responds with status 404 when embeddable content is requested' do
get :show, id: personal_snippet.to_param, format: :js
expect(response).to have_gitlab_http_status(404)
end
end end
end end
...@@ -106,6 +112,12 @@ describe SnippetsController do ...@@ -106,6 +112,12 @@ describe SnippetsController do
expect(assigns(:snippet)).to eq(personal_snippet) expect(assigns(:snippet)).to eq(personal_snippet)
expect(response).to have_gitlab_http_status(200) expect(response).to have_gitlab_http_status(200)
end end
it 'responds with status 404 when embeddable content is requested' do
get :show, id: personal_snippet.to_param, format: :js
expect(response).to have_gitlab_http_status(404)
end
end end
context 'when not signed in' do context 'when not signed in' do
...@@ -131,6 +143,13 @@ describe SnippetsController do ...@@ -131,6 +143,13 @@ describe SnippetsController do
expect(assigns(:snippet)).to eq(personal_snippet) expect(assigns(:snippet)).to eq(personal_snippet)
expect(response).to have_gitlab_http_status(200) expect(response).to have_gitlab_http_status(200)
end end
it 'responds with status 200 when embeddable content is requested' do
get :show, id: personal_snippet.to_param, format: :js
expect(assigns(:snippet)).to eq(personal_snippet)
expect(response).to have_gitlab_http_status(200)
end
end end
context 'when not signed in' do context 'when not signed in' do
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7