Commit 66088697 authored by Brett Walker's avatar Brett Walker Committed by GitLab Release Tools Bot

[security] Fix markdown API disclosing issue titles of limited projects

Merge branch 'security-markdown-api-issue-title-14-10' into '14-10-stable-ee'

See merge request gitlab-org/security/gitlab!2407

Changelog: security
parent 0a0775a3
...@@ -640,7 +640,8 @@ class Issue < ApplicationRecord ...@@ -640,7 +640,8 @@ class Issue < ApplicationRecord
# Returns `true` if this Issue is visible to everybody. # Returns `true` if this Issue is visible to everybody.
def publicly_visible? def publicly_visible?
project.public? && !confidential? && !hidden? && !::Gitlab::ExternalAuthorization.enabled? project.public? && project.feature_available?(:issues, nil) &&
!confidential? && !hidden? && !::Gitlab::ExternalAuthorization.enabled?
end end
def expire_etag_cache def expire_etag_cache
......
...@@ -105,7 +105,7 @@ class ProjectFeature < ApplicationRecord ...@@ -105,7 +105,7 @@ class ProjectFeature < ApplicationRecord
# that the user has access to the feature. It's important to use this scope with others # that the user has access to the feature. It's important to use this scope with others
# that checks project authorizations first (e.g. `filter_by_feature_visibility`). # that checks project authorizations first (e.g. `filter_by_feature_visibility`).
# #
# This method uses an optimised version of `with_feature_access_level` for # This method uses an optimized version of `with_feature_access_level` for
# logged in users to more efficiently get private projects with the given # logged in users to more efficiently get private projects with the given
# feature. # feature.
def self.with_feature_available_for_user(feature, user) def self.with_feature_available_for_user(feature, user)
......
...@@ -742,14 +742,15 @@ RSpec.describe Issue do ...@@ -742,14 +742,15 @@ RSpec.describe Issue do
describe '#participants' do describe '#participants' do
context 'using a public project' do context 'using a public project' do
let_it_be(:issue) { create(:issue, project: reusable_project) } let_it_be(:public_project) { create(:project, :public) }
let_it_be(:issue) { create(:issue, project: public_project) }
let!(:note1) do let!(:note1) do
create(:note_on_issue, noteable: issue, project: reusable_project, note: 'a') create(:note_on_issue, noteable: issue, project: public_project, note: 'a')
end end
let!(:note2) do let!(:note2) do
create(:note_on_issue, noteable: issue, project: reusable_project, note: 'b') create(:note_on_issue, noteable: issue, project: public_project, note: 'b')
end end
it 'includes the issue author' do it 'includes the issue author' do
...@@ -819,20 +820,35 @@ RSpec.describe Issue do ...@@ -819,20 +820,35 @@ RSpec.describe Issue do
context 'without a user' do context 'without a user' do
let(:user) { nil } let(:user) { nil }
before do context 'with issue available as public' do
project.project_feature.update_attribute(:issues_access_level, ProjectFeature::PUBLIC) before do
end project.project_feature.update_attribute(:issues_access_level, ProjectFeature::PUBLIC)
end
it 'returns true when the issue is publicly visible' do
expect(issue).to receive(:publicly_visible?).and_return(true)
is_expected.to eq(true)
end
it 'returns true when the issue is publicly visible' do it 'returns false when the issue is not publicly visible' do
expect(issue).to receive(:publicly_visible?).and_return(true) expect(issue).to receive(:publicly_visible?).and_return(false)
is_expected.to eq(true) is_expected.to eq(false)
end
end end
it 'returns false when the issue is not publicly visible' do context 'with issues available only to team members in a public project' do
expect(issue).to receive(:publicly_visible?).and_return(false) let(:public_project) { create(:project, :public) }
let(:issue) { build(:issue, project: public_project) }
is_expected.to eq(false) before do
public_project.project_feature.update_attribute(:issues_access_level, ProjectFeature::PRIVATE)
end
it 'returns false' do
is_expected.to eq(false)
end
end end
end end
......
...@@ -156,6 +156,46 @@ RSpec.describe API::Markdown do ...@@ -156,6 +156,46 @@ RSpec.describe API::Markdown do
end end
end end
end end
context 'with a public project and issues only for team members' do
let(:public_project) do
create(:project, :public).tap do |project|
project.project_feature.update_attribute(:issues_access_level, ProjectFeature::PRIVATE)
end
end
let(:issue) { create(:issue, project: public_project, title: 'Team only title') }
let(:text) { "#{issue.to_reference}" }
let(:params) { { text: text, gfm: true, project: public_project.full_path } }
shared_examples 'user without proper access' do
it 'does not render the title' do
expect(response).to have_gitlab_http_status(:created)
expect(json_response["html"]).not_to include('Team only title')
end
end
context 'when not logged in' do
let(:user) { }
it_behaves_like 'user without proper access'
end
context 'when logged in as user without access' do
let(:user) { create(:user) }
it_behaves_like 'user without proper access'
end
context 'when logged in as author' do
let(:user) { issue.author }
it 'renders the title or link' do
expect(response).to have_gitlab_http_status(:created)
expect(json_response["html"]).to include('Team only title')
end
end
end
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment