Merge branch 'security-disable-github-import-api-by-seetings' into 'master'

Disable github import api by seetings Closes #143 See merge request gitlab-org/security/gitlab!556

Merge branch 'security-disable-github-import-api-by-seetings' into 'master'
Disable github import api by seetings Closes #143 See merge request gitlab-org/security/gitlab!556
124f3a2c · GitLab Release Tools Bot · 319ad4a9 · dafdeb00 · 124f3a2c · 124f3a2c
Commit 124f3a2c authored Jun 29, 2020 by GitLab Release Tools Bot
3 changed files
--- a/changelogs/unreleased/security-disable-github-import-api-by-seetings.yml
+++ b/changelogs/unreleased/security-disable-github-import-api-by-seetings.yml
+---
+title: Disable Github Importer API by settings
+merge_request:
+author:
+type: security
--- a/lib/api/import_github.rb
+++ b/lib/api/import_github.rb
@@ -4,6 +4,10 @@ module API
  class ImportGithub < Grape::API
    rescue_from Octokit::Unauthorized, with: :provider_unauthorized

+    before do
+      forbidden! unless Gitlab::CurrentSettings.import_sources&.include?('github')
+    end
+
    helpers do
      def client
        @client ||= Gitlab::LegacyGithubImport::Client.new(params[:personal_access_token], client_options)

--- a/spec/requests/api/import_github_spec.rb
+++ b/spec/requests/api/import_github_spec.rb
@@ -26,6 +26,18 @@ RSpec.describe API::ImportGithub do
      end
    end

+    it 'rejects requests when Github Importer is disabled' do
+      stub_application_setting(import_sources: nil)
+
+      post api("/import/github", user), params: {
+        target_namespace: user.namespace_path,
+        personal_access_token: token,
+        repo_id: non_existing_record_id
+      }
+
+      expect(response).to have_gitlab_http_status(:forbidden)
+    end
+
    it 'returns 201 response when the project is imported successfully' do
      allow(Gitlab::LegacyGithubImport::ProjectCreator)
        .to receive(:new).with(provider_repo, provider_repo.name, user.namespace, user, access_params, type: provider)