Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
92e2edec
Commit
92e2edec
authored
6 years ago
by
Mario de la Ossa
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fix IDOR in draft notes publishing
parent
7e45c1ac
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
37 additions
and
13 deletions
+37
-13
ee/app/controllers/projects/merge_requests/drafts_controller.rb
.../controllers/projects/merge_requests/drafts_controller.rb
+7
-3
ee/app/services/draft_notes/publish_service.rb
ee/app/services/draft_notes/publish_service.rb
+4
-6
ee/changelogs/unreleased/security-IDOR-note-drafts-publish.yml
...angelogs/unreleased/security-IDOR-note-drafts-publish.yml
+5
-0
ee/spec/controllers/projects/merge_requests/drafts_controller_spec.rb
...rollers/projects/merge_requests/drafts_controller_spec.rb
+17
-0
ee/spec/services/draft_notes/publish_service_spec.rb
ee/spec/services/draft_notes/publish_service_spec.rb
+4
-4
No files found.
ee/app/controllers/projects/merge_requests/drafts_controller.rb
View file @
92e2edec
...
...
@@ -8,6 +8,7 @@ class Projects::MergeRequests::DraftsController < Projects::MergeRequests::Appli
before_action
:check_draft_notes_available!
,
except:
[
:index
]
before_action
:authorize_create_draft!
,
only:
[
:create
]
before_action
:authorize_admin_draft!
,
only:
[
:update
,
:destroy
]
before_action
:authorize_admin_draft!
,
only:
[
:publish
],
if:
->
{
params
[
:id
].
present?
}
def
index
drafts
=
prepare_notes_for_rendering
(
draft_notes
)
...
...
@@ -40,7 +41,7 @@ class Projects::MergeRequests::DraftsController < Projects::MergeRequests::Appli
end
def
publish
DraftNotes
::
PublishService
.
new
(
merge_request
,
current_user
).
execute
(
params
[
:id
]
)
DraftNotes
::
PublishService
.
new
(
merge_request
,
current_user
).
execute
(
draft_note
(
allow_nil:
true
)
)
head
:ok
end
...
...
@@ -53,10 +54,13 @@ class Projects::MergeRequests::DraftsController < Projects::MergeRequests::Appli
private
def
draft_note
def
draft_note
(
allow_nil:
false
)
strong_memoize
(
:draft_note
)
do
draft_notes
.
try
(
:find
,
params
[
:id
])
draft_notes
.
find
(
params
[
:id
])
end
rescue
ActiveRecord
::
RecordNotFound
=>
ex
# draft_note is allowed to be nil in #publish
raise
ex
unless
allow_nil
end
def
draft_notes
...
...
This diff is collapsed.
Click to expand it.
ee/app/services/draft_notes/publish_service.rb
View file @
92e2edec
...
...
@@ -2,9 +2,9 @@
module
DraftNotes
class
PublishService
<
DraftNotes
::
BaseService
def
execute
(
draft
_id
=
nil
)
if
draft
_id
publish_draft_note
(
draft
_id
)
def
execute
(
draft
=
nil
)
if
draft
publish_draft_note
(
draft
)
else
publish_draft_notes
end
...
...
@@ -12,9 +12,7 @@ module DraftNotes
private
def
publish_draft_note
(
draft_id
)
draft
=
DraftNote
.
find
(
draft_id
)
def
publish_draft_note
(
draft
)
create_note_from_draft
(
draft
)
draft
.
delete
...
...
This diff is collapsed.
Click to expand it.
ee/changelogs/unreleased/security-IDOR-note-drafts-publish.yml
0 → 100644
View file @
92e2edec
---
title
:
Fix IDOR at /drafts/publish
merge_request
:
author
:
type
:
security
This diff is collapsed.
Click to expand it.
ee/spec/controllers/projects/merge_requests/drafts_controller_spec.rb
View file @
92e2edec
...
...
@@ -153,6 +153,7 @@ describe Projects::MergeRequests::DraftsController do
context
'without permissions'
do
before
do
sign_in
(
user2
)
project
.
add_developer
(
user2
)
end
it
'does not allow editing draft note belonging to someone else'
do
...
...
@@ -176,6 +177,22 @@ describe Projects::MergeRequests::DraftsController do
end
describe
'POST #publish'
do
context
'without permissions'
do
before
do
sign_in
(
user2
)
project
.
add_developer
(
user2
)
end
it
'does not allow publishing draft note belonging to someone else'
do
draft
=
create
(
:draft_note
,
merge_request:
merge_request
,
author:
user
)
expect
{
post
:publish
,
params
.
merge
(
id:
draft
.
id
)
}.
to
change
{
Note
.
count
}.
by
(
0
)
.
and
change
{
DraftNote
.
count
}.
by
(
0
)
expect
(
response
).
to
have_gitlab_http_status
(
404
)
end
end
it
'publishes draft notes with position'
do
diff_refs
=
project
.
commit
(
RepoHelpers
.
sample_commit
.
id
).
try
(
:diff_refs
)
...
...
This diff is collapsed.
Click to expand it.
ee/spec/services/draft_notes/publish_service_spec.rb
View file @
92e2edec
...
...
@@ -6,14 +6,14 @@ describe DraftNotes::PublishService do
let
(
:project
)
{
merge_request
.
target_project
}
let
(
:user
)
{
merge_request
.
author
}
def
publish
(
id
:
nil
)
DraftNotes
::
PublishService
.
new
(
merge_request
,
user
).
execute
(
id
)
def
publish
(
draft
:
nil
)
DraftNotes
::
PublishService
.
new
(
merge_request
,
user
).
execute
(
draft
)
end
it
'publishes a single draft note'
do
drafts
=
create_list
(
:draft_note
,
2
,
merge_request:
merge_request
,
author:
user
)
expect
{
publish
(
id:
drafts
.
first
.
id
)
}.
to
change
{
DraftNote
.
count
}.
by
(
-
1
).
and
change
{
Note
.
count
}.
by
(
1
)
expect
{
publish
(
draft:
drafts
.
first
)
}.
to
change
{
DraftNote
.
count
}.
by
(
-
1
).
and
change
{
Note
.
count
}.
by
(
1
)
expect
(
DraftNote
.
count
).
to
eq
(
1
)
end
...
...
@@ -58,7 +58,7 @@ describe DraftNotes::PublishService do
let
(
:draft_note
)
{
create
(
:draft_note
,
merge_request:
merge_request
,
author:
user
,
resolve_discussion:
true
,
discussion_id:
note
.
discussion
.
reply_id
)
}
it
'resolves the discussion'
do
publish
(
id:
draft_note
.
id
)
publish
(
draft:
draft_note
)
expect
(
note
.
discussion
.
resolved?
).
to
be
true
end
...
...
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment