Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
2b2efbc6
Commit
2b2efbc6
authored
Aug 14, 2019
by
John T Skarbek
Browse files
Options
Browse Files
Download
Plain Diff
Merge remote-tracking branch 'dev/security-2873-restrict-slash-commands-to-users-who-can-log-in'
parents
affa81eb
7b52cff4
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
51 additions
and
0 deletions
+51
-0
app/models/project_services/slash_commands_service.rb
app/models/project_services/slash_commands_service.rb
+2
-0
app/policies/global_policy.rb
app/policies/global_policy.rb
+3
-0
changelogs/unreleased/security-2873-blocked-user-slash-command-bypass-master.yml
...ecurity-2873-blocked-user-slash-command-bypass-master.yml
+5
-0
spec/policies/global_policy_spec.rb
spec/policies/global_policy_spec.rb
+28
-0
spec/support/shared_examples/chat_slash_commands_shared_examples.rb
...rt/shared_examples/chat_slash_commands_shared_examples.rb
+13
-0
No files found.
app/models/project_services/slash_commands_service.rb
View file @
2b2efbc6
...
@@ -35,6 +35,8 @@ class SlashCommandsService < Service
...
@@ -35,6 +35,8 @@ class SlashCommandsService < Service
chat_user
=
find_chat_user
(
params
)
chat_user
=
find_chat_user
(
params
)
if
chat_user
&
.
user
if
chat_user
&
.
user
return
Gitlab
::
SlashCommands
::
Presenters
::
Access
.
new
.
access_denied
unless
chat_user
.
user
.
can?
(
:use_slash_commands
)
Gitlab
::
SlashCommands
::
Command
.
new
(
project
,
chat_user
,
params
).
execute
Gitlab
::
SlashCommands
::
Command
.
new
(
project
,
chat_user
,
params
).
execute
else
else
url
=
authorize_chat_name_url
(
params
)
url
=
authorize_chat_name_url
(
params
)
...
...
app/policies/global_policy.rb
View file @
2b2efbc6
...
@@ -33,6 +33,7 @@ class GlobalPolicy < BasePolicy
...
@@ -33,6 +33,7 @@ class GlobalPolicy < BasePolicy
enable
:access_git
enable
:access_git
enable
:receive_notifications
enable
:receive_notifications
enable
:use_quick_actions
enable
:use_quick_actions
enable
:use_slash_commands
end
end
rule
{
blocked
|
internal
}.
policy
do
rule
{
blocked
|
internal
}.
policy
do
...
@@ -40,6 +41,7 @@ class GlobalPolicy < BasePolicy
...
@@ -40,6 +41,7 @@ class GlobalPolicy < BasePolicy
prevent
:access_api
prevent
:access_api
prevent
:access_git
prevent
:access_git
prevent
:receive_notifications
prevent
:receive_notifications
prevent
:use_slash_commands
end
end
rule
{
required_terms_not_accepted
}.
policy
do
rule
{
required_terms_not_accepted
}.
policy
do
...
@@ -57,6 +59,7 @@ class GlobalPolicy < BasePolicy
...
@@ -57,6 +59,7 @@ class GlobalPolicy < BasePolicy
rule
{
access_locked
}.
policy
do
rule
{
access_locked
}.
policy
do
prevent
:log_in
prevent
:log_in
prevent
:use_slash_commands
end
end
rule
{
~
(
anonymous
&
restricted_public_level
)
}.
policy
do
rule
{
~
(
anonymous
&
restricted_public_level
)
}.
policy
do
...
...
changelogs/unreleased/security-2873-blocked-user-slash-command-bypass-master.yml
0 → 100644
View file @
2b2efbc6
---
title
:
Restrict slash commands to users who can log in
merge_request
:
author
:
type
:
security
spec/policies/global_policy_spec.rb
View file @
2b2efbc6
...
@@ -226,4 +226,32 @@ describe GlobalPolicy do
...
@@ -226,4 +226,32 @@ describe GlobalPolicy do
it
{
is_expected
.
not_to
be_allowed
(
:read_instance_statistics
)
}
it
{
is_expected
.
not_to
be_allowed
(
:read_instance_statistics
)
}
end
end
end
end
describe
'slash commands'
do
context
'regular user'
do
it
{
is_expected
.
to
be_allowed
(
:use_slash_commands
)
}
end
context
'when internal'
do
let
(
:current_user
)
{
User
.
ghost
}
it
{
is_expected
.
not_to
be_allowed
(
:use_slash_commands
)
}
end
context
'when blocked'
do
before
do
current_user
.
block
end
it
{
is_expected
.
not_to
be_allowed
(
:use_slash_commands
)
}
end
context
'when access locked'
do
before
do
current_user
.
lock_access!
end
it
{
is_expected
.
not_to
be_allowed
(
:use_slash_commands
)
}
end
end
end
end
spec/support/shared_examples/chat_slash_commands_shared_examples.rb
View file @
2b2efbc6
...
@@ -93,6 +93,19 @@ RSpec.shared_examples 'chat slash commands service' do
...
@@ -93,6 +93,19 @@ RSpec.shared_examples 'chat slash commands service' do
subject
.
trigger
(
params
)
subject
.
trigger
(
params
)
end
end
context
'when user is blocked'
do
before
do
chat_name
.
user
.
block
end
it
'blocks command execution'
do
expect_any_instance_of
(
Gitlab
::
SlashCommands
::
Command
).
not_to
receive
(
:execute
)
result
=
subject
.
trigger
(
params
)
expect
(
result
).
to
include
(
text:
/^Whoops! This action is not allowed/
)
end
end
end
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment