Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee

ed98b14d · GitLab Bot · 9bfd352c · ed98b14d · ed98b14d · ed98b14d
Commit ed98b14d authored Apr 27, 2020 by GitLab Bot
6 changed files
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -624,6 +624,7 @@ module ProjectsHelper
  def find_file_path
    return unless @project && !@project.empty_repo?
+    return unless can?(current_user, :download_code, @project)
    ref = @ref || @project.repository.root_ref

--- a/changelogs/unreleased/bug-codeowner-diffs.yml
+++ b/changelogs/unreleased/bug-codeowner-diffs.yml
+---
+title: Ensure MR diff exists before codeowner check
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-branch-permissions.yml
+++ b/changelogs/unreleased/security-branch-permissions.yml
+---
+title: Prevent unauthorized access to default branch
+merge_request:
+author:
+type: security
--- a/spec/helpers/application_helper_spec.rb
+++ b/spec/helpers/application_helper_spec.rb
@@ -277,11 +277,16 @@ describe ApplicationHelper do
    end
    context 'when @project is set' do
-      it 'includes all possible body data elements and associates the project elements with project' do
+      let_it_be(:project) { create(:project, :repository) }
-        project = create(:project)
+      let_it_be(:user) { create(:user) }
+      before do
        assign(:project, project)
+        allow(helper).to receive(:current_user).and_return(nil)
+      end
+      it 'includes all possible body data elements and associates the project elements with project' do
+        expect(helper).to receive(:can?).with(nil, :download_code, project)
        expect(helper.body_data).to eq(
          {
            page: 'application',
@@ -302,12 +307,11 @@ describe ApplicationHelper do
        context 'when params[:id] is present and the issue exsits and action_name is show' do
          it 'sets all project and id elements correctly related to the issue' do
-            issue = create(:issue)
+            issue = create(:issue, project: project)
            stub_controller_method(:action_name, 'show')
            stub_controller_method(:params, { id: issue.id })
-            assign(:project, issue.project)
+            expect(helper).to receive(:can?).with(nil, :download_code, project).and_return(false)
            expect(helper.body_data).to eq(
              {
                page: 'projects:issues:show',
@@ -322,6 +326,15 @@ describe ApplicationHelper do
          end
        end
      end
+      context 'when current_user has download_code permission' do
+        it 'returns find_file with the default branch' do
+          allow(helper).to receive(:current_user).and_return(user)
+          expect(helper).to receive(:can?).with(user, :download_code, project).and_return(true)
+          expect(helper.body_data[:find_file]).to end_with(project.default_branch)
+        end
+      end
    end
    def stub_controller_method(method_name, value)

--- a/vendor/gitignore/C++.gitignore
+++ b/vendor/gitignore/C++.gitignore
--- a/vendor/gitignore/Java.gitignore
+++ b/vendor/gitignore/Java.gitignore