Fix api leaking notes when user is not authorized to read noteable

e56e3cdc · Felipe Artur · ae25c19e · e56e3cdc · e56e3cdc · e56e3cdc
Commit e56e3cdc authored May 09, 2016 by Felipe Artur
Show whitespace changes
Inline Side-by-side

Showing with 38 additions and 13 deletions

CHANGELOG CHANGELOG +1 -0

lib/api/notes.rb lib/api/notes.rb +18 -13

spec/requests/api/notes_spec.rb spec/requests/api/notes_spec.rb +19 -0

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -15,6 +15,7 @@ v 8.8.0 (unreleased)
  - Bump mail_room to 0.7.0 to fix stuck IDLE connections
  - Remove future dates from contribution calendar graph.
  - Support e-mail notifications for comments on project snippets
+  - Fix API leak of notes of unauthorized issues, snippets and merge requests
  - Use ActionDispatch Remote IP for Akismet checking
  - Fix error when visiting commit builds page before build was updated
  - Add 'l' shortcut to open Label dropdown on issuables and 'i' to create new issue on a project

--- a/lib/api/notes.rb
+++ b/lib/api/notes.rb
@@ -20,7 +20,9 @@ module API
        #   GET /projects/:id/snippets/:noteable_id/notes
        get ":id/#{noteables_str}/:#{noteable_id_str}/notes" do
          @noteable = user_project.send(:"#{noteables_str}").find(params[:"#{noteable_id_str}"])
+          read_ability_name = "read_#{@noteable.class.to_s.underscore.downcase}".to_sym

+          if can?(current_user, read_ability_name, @noteable)
            # We exclude notes that are cross-references and that cannot be viewed
            # by the current user. By doing this exclusion at this level and not
            # at the DB query level (which we cannot in that case), the current
@@ -33,6 +35,9 @@ module API
              paginate(@noteable.notes).
              reject { |n| n.cross_reference_not_visible_for?(current_user) }
            present notes, with: Entities::Note
+          else
+            render_api_error!("Not found.", 404)
+          end
        end

        # Get a single +noteable+ note

--- a/spec/requests/api/notes_spec.rb
+++ b/spec/requests/api/notes_spec.rb
@@ -57,6 +57,15 @@ describe API::API, api: true  do
          expect(json_response).to be_empty
        end

+        context "and issue is confidential" do
+          before { ext_issue.update_attributes(confidential: true) }
+
+          it "returns 404" do
+            get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes", user)
+            expect(response.status).to eq(404)
+          end
+        end
+
        context "and current user can view the note" do
          it "should return an empty array" do
            get api("/projects/#{ext_proj.id}/issues/#{ext_issue.id}/notes", private_user)
@@ -80,6 +89,11 @@ describe API::API, api: true  do
        get api("/projects/#{project.id}/snippets/42/notes", user)
        expect(response.status).to eq(404)
      end
+
+      it "returns 404 when not authorized" do
+        get api("/projects/#{project.id}/snippets/#{snippet.id}/notes", private_user)
+        expect(response.status).to eq(404)
+      end
    end

    context "when noteable is a Merge Request" do
@@ -94,6 +108,11 @@ describe API::API, api: true  do
        get api("/projects/#{project.id}/merge_requests/4444/notes", user)
        expect(response.status).to eq(404)
      end
+
+      it "returns 404 when not authorized" do
+        get api("/projects/#{project.id}/merge_requests/4444/notes", private_user)
+        expect(response.status).to eq(404)
+      end
    end
  end