Don't process MR refs for guests in the notes

68d13322 · Oswaldo Ferreira · Yorick Peterse · a3cde026 · 68d13322 · 68d13322
Commit 68d13322 authored Jan 09, 2019 by Oswaldo Ferreira Committed by Yorick Peterse Jan 31, 2019
3 changed files
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -393,7 +393,7 @@ class ProjectPolicy < BasePolicy
  end.enable :read_issue_iid

  rule do
-    (can?(:read_project_for_iids) & merge_requests_visible_to_user) | can?(:read_merge_request)
+    (~guest & can?(:read_project_for_iids) & merge_requests_visible_to_user) | can?(:read_merge_request)
  end.enable :read_merge_request_iid

  rule { ~can_have_multiple_clusters & has_clusters }.prevent :add_cluster

--- a/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml
+++ b/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml
+---
+title: Don't process MR refs for guests in the notes
+merge_request: 2771
+author:
+type: security
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -12,7 +12,7 @@ describe ProjectPolicy do
  let(:base_guest_permissions) do
    %i[
      read_project read_board read_list read_wiki read_issue
-      read_project_for_iids read_issue_iid read_merge_request_iid read_label
+      read_project_for_iids read_issue_iid read_label
      read_milestone read_project_snippet read_project_member read_note
      create_project create_issue create_note upload_file create_merge_request_in
      award_emoji read_release
@@ -152,6 +152,16 @@ describe ProjectPolicy do
    end
  end

+  context 'for a guest in a private project' do
+    let(:project) { create(:project, :private) }
+    subject { described_class.new(guest, project) }
+
+    it 'disallows the guest from reading the merge request and merge request iid' do
+      expect_disallowed(:read_merge_request)
+      expect_disallowed(:read_merge_request_iid)
+    end
+  end
+
  context 'builds feature' do
    subject { described_class.new(owner, project) }