Commit 64d59e7e authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-id-fix-disclosure-of-private-repo-names' into 'master'

Return 404 on LFS request if project doesn't exist

See merge request gitlab/gitlabhq!3505
parents 1cffa117 f6bb5a96
...@@ -34,6 +34,7 @@ module LfsRequest ...@@ -34,6 +34,7 @@ module LfsRequest
end end
def lfs_check_access! def lfs_check_access!
return render_lfs_not_found unless project
return if download_request? && lfs_download_access? return if download_request? && lfs_download_access?
return if upload_request? && lfs_upload_access? return if upload_request? && lfs_upload_access?
......
---
title: Return 404 on LFS request if project doesn't exist
merge_request:
author:
type: security
...@@ -16,13 +16,17 @@ describe LfsRequest do ...@@ -16,13 +16,17 @@ describe LfsRequest do
end end
def project def project
@project ||= Project.find(params[:id]) @project ||= Project.find_by(id: params[:id])
end end
def download_request? def download_request?
true true
end end
def upload_request?
false
end
def ci? def ci?
false false
end end
...@@ -49,4 +53,41 @@ describe LfsRequest do ...@@ -49,4 +53,41 @@ describe LfsRequest do
expect(assigns(:storage_project)).to eq(project) expect(assigns(:storage_project)).to eq(project)
end end
end end
context 'user is authenticated without access to lfs' do
before do
allow(controller).to receive(:authenticate_user)
allow(controller).to receive(:authentication_result) do
Gitlab::Auth::Result.new
end
end
context 'with access to the project' do
it 'returns 403' do
get :show, params: { id: project.id }
expect(response.status).to eq(403)
end
end
context 'without access to the project' do
context 'project does not exist' do
it 'returns 404' do
get :show, params: { id: 'does not exist' }
expect(response.status).to eq(404)
end
end
context 'project is private' do
let(:project) { create(:project, :private) }
it 'returns 404' do
get :show, params: { id: project.id }
expect(response.status).to eq(404)
end
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment