Avoid exposing release links when the user cannot read tag

This commit fixes the security vulnerability that guest can read git-tag through release links.

Avoid exposing release links when the user cannot read tag
This commit fixes the security vulnerability that guest can read git-tag through release links.
50b90619 · Shinya Maeda · a55f5d50 · 50b90619 · 50b90619 · 50b90619
Commit 50b90619 authored Jan 07, 2021 by Shinya Maeda
5 changed files
--- a/app/controllers/projects/releases_controller.rb
+++ b/app/controllers/projects/releases_controller.rb
@@ -5,6 +5,9 @@ class Projects::ReleasesController < Projects::ApplicationController
  before_action :require_non_empty_project, except: [:index]
  before_action :release, only: %i[edit show update downloads]
  before_action :authorize_read_release!
+  # We have to check `download_code` permission because detail URL path
+  # contains git-tag name.
+  before_action :authorize_download_code!, except: [:index]
  before_action do
    push_frontend_feature_flag(:graphql_release_data, project, default_enabled: true)
    push_frontend_feature_flag(:graphql_milestone_stats, project, default_enabled: true)

--- a/app/presenters/release_presenter.rb
+++ b/app/presenters/release_presenter.rb
@@ -20,6 +20,8 @@ class ReleasePresenter < Gitlab::View::Presenter::Delegated
  end

  def self_url
+    return unless can_download_code?
+
    project_release_url(project, release)
  end


--- a/changelogs/unreleased/security-guest-can-read-tag-from-releases.yml
+++ b/changelogs/unreleased/security-guest-can-read-tag-from-releases.yml
+---
+title: Avoid exposing release links when the user cannot read git-tag/repository
+merge_request:
+author:
+type: security
--- a/spec/controllers/projects/releases_controller_spec.rb
+++ b/spec/controllers/projects/releases_controller_spec.rb
@@ -9,6 +9,7 @@ RSpec.describe Projects::ReleasesController do
  let_it_be(:private_project) { create(:project, :repository, :private) }
  let_it_be(:developer)  { create(:user) }
  let_it_be(:reporter)   { create(:user) }
+  let_it_be(:guest)      { create(:user) }
  let_it_be(:user)       { developer }
  let!(:release_1)       { create(:release, project: project, released_at: Time.zone.parse('2018-10-18')) }
  let!(:release_2)       { create(:release, project: project, released_at: Time.zone.parse('2019-10-19')) }
@@ -16,6 +17,7 @@ RSpec.describe Projects::ReleasesController do
  before do
    project.add_developer(developer)
    project.add_reporter(reporter)
+    project.add_guest(guest)
  end

  shared_examples_for 'successful request' do
@@ -199,6 +201,13 @@ RSpec.describe Projects::ReleasesController do

      it_behaves_like 'not found'
    end
+
+    context 'when user is a guest' do
+      let(:project) { private_project }
+      let(:user) { guest }
+
+      it_behaves_like 'not found'
+    end
  end

  # `GET #downloads` is addressed in spec/requests/projects/releases_controller_spec.rb

--- a/spec/presenters/release_presenter_spec.rb
+++ b/spec/presenters/release_presenter_spec.rb
@@ -62,6 +62,12 @@ RSpec.describe ReleasePresenter do
    it 'returns its own url' do
      is_expected.to eq(project_release_url(project, release))
    end
+
+    context 'when user is guest' do
+      let(:user) { guest }
+
+      it { is_expected.to be_nil }
+    end
  end

  describe '#opened_merge_requests_url' do