Merge branch 'security-project-from-template-vuln' into 'master'

Do not create projects from group template if project is not descendant of that group See merge request gitlab/gitlab-ee!1262

Merge branch 'security-project-from-template-vuln' into 'master'
Do not create projects from group template if project is not descendant of that group See merge request gitlab/gitlab-ee!1262
7dca43e0 · GitLab Release Tools Bot · 515cb20f · 948e6e90 · 7dca43e0 · 7dca43e0
Commit 7dca43e0 authored Sep 11, 2019 by GitLab Release Tools Bot
3 changed files
--- a/ee/app/services/ee/projects/create_from_template_service.rb
+++ b/ee/app/services/ee/projects/create_from_template_service.rb
@@ -10,6 +10,11 @@ module EE
      def execute
        return super unless use_custom_template?

+        if subgroup_id && !valid_project_namespace?
+          project.errors.add(:namespace, _("is not a descendant of the Group owning the template"))
+          return project
+        end
+
        override_params = params.dup
        params[:custom_template] = template_project if template_project

@@ -34,7 +39,21 @@ module EE
      end

      def subgroup_id
-        params[:group_with_project_templates_id].presence
+        @subgroup_id ||= params.delete(:group_with_project_templates_id).presence
+      end
+
+      # rubocop: disable CodeReuse/ActiveRecord
+      def valid_project_namespace?
+        templates_owner = ::Group.find(subgroup_id).parent
+
+        return false unless templates_owner
+
+        templates_owner.self_and_descendants.exists?(id: project.namespace_id)
+      end
+      # rubocop: enable CodeReuse/ActiveRecord
+
+      def project
+        @project ||= ::Project.new(namespace_id: params[:namespace_id])
      end
    end
  end

--- a/ee/changelogs/unreleased/security-project-from-template-vuln.yml
+++ b/ee/changelogs/unreleased/security-project-from-template-vuln.yml
+---
+title: Do not allow creation of projects from group templates if project is not descendant
+  of that group
+merge_request:
+author:
+type: security
--- a/ee/spec/services/projects/create_from_template_service_spec.rb
+++ b/ee/spec/services/projects/create_from_template_service_spec.rb
@@ -160,6 +160,14 @@ describe Projects::CreateFromTemplateService do

          it_behaves_like 'a project that isn\'t persisted'
        end
+
+        context 'when project is created outside of group hierarchy' do
+          let(:user) { create(:user) }
+          let(:project) { create(:project, :public, namespace: user.namespace) }
+          let(:namespace_id) { user.namespace_id }
+
+          it_behaves_like 'a project that isn\'t persisted'
+        end
      end

      context 'when the namespace is inside the hierarchy of the Group owning the template' do