Commit fccc9454 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'search-information-leak' into 'master'

Don't leak existence of group or project via search.

Fixes gitlab/gitlab-ee#266.

See merge request !1762
parents b7586612 28f9c986
...@@ -6,6 +6,8 @@ v 7.10.0 (unreleased) ...@@ -6,6 +6,8 @@ v 7.10.0 (unreleased)
- Fix project import URL regex to prevent arbitary local repos from being imported. - Fix project import URL regex to prevent arbitary local repos from being imported.
- Fix directory traversal vulnerability around uploads routes. - Fix directory traversal vulnerability around uploads routes.
- Fix directory traversal vulnerability around help pages. - Fix directory traversal vulnerability around help pages.
- Don't leak existence of project via search autocomplete.
- Don't leak existence of group or project via search.
- Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu) - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu)
- Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu) - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu)
- Add ability to configure Reply-To address in gitlab.yml (Stan Hu) - Add ability to configure Reply-To address in gitlab.yml (Stan Hu)
......
...@@ -3,15 +3,22 @@ class SearchController < ApplicationController ...@@ -3,15 +3,22 @@ class SearchController < ApplicationController
def show def show
return if params[:search].nil? || params[:search].blank? return if params[:search].nil? || params[:search].blank?
@project = Project.find_by(id: params[:project_id]) if params[:project_id].present?
@group = Group.find_by(id: params[:group_id]) if params[:group_id].present? if params[:project_id].present?
@project = Project.find_by(id: params[:project_id])
@project = nil unless can?(current_user, :download_code, @project)
end
if params[:group_id].present?
@group = Group.find_by(id: params[:group_id])
@group = nil unless can?(current_user, :read_group, @group)
end
@scope = params[:scope] @scope = params[:scope]
@show_snippets = params[:snippets].eql? 'true' @show_snippets = params[:snippets].eql? 'true'
@search_results = @search_results =
if @project if @project
return access_denied! unless can?(current_user, :download_code, @project)
unless %w(blobs notes issues merge_requests wiki_blobs). unless %w(blobs notes issues merge_requests wiki_blobs).
include?(@scope) include?(@scope)
@scope = 'blobs' @scope = 'blobs'
...@@ -35,7 +42,12 @@ class SearchController < ApplicationController ...@@ -35,7 +42,12 @@ class SearchController < ApplicationController
def autocomplete def autocomplete
term = params[:term] term = params[:term]
@project = Project.find(params[:project_id]) if params[:project_id].present?
if params[:project_id].present?
@project = Project.find_by(id: params[:project_id])
@project = nil unless can?(current_user, :read_project, @project)
end
@ref = params[:project_ref] if params[:project_ref].present? @ref = params[:project_ref] if params[:project_ref].present?
render json: search_autocomplete_opts(term).to_json render json: search_autocomplete_opts(term).to_json
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment