Commit 9b561836 authored by allison.browne's avatar allison.browne

Fix unauthorized access to schedule variables

Security fix for single pipeline schedule api view
parent 5b982e86
...@@ -17,6 +17,7 @@ module Ci ...@@ -17,6 +17,7 @@ module Ci
rule { can?(:admin_pipeline) | (can?(:update_build) & owner_of_schedule) }.policy do rule { can?(:admin_pipeline) | (can?(:update_build) & owner_of_schedule) }.policy do
enable :update_pipeline_schedule enable :update_pipeline_schedule
enable :admin_pipeline_schedule enable :admin_pipeline_schedule
enable :read_pipeline_schedule_variables
end end
rule { can?(:admin_pipeline_schedule) & ~owner_of_schedule }.policy do rule { can?(:admin_pipeline_schedule) & ~owner_of_schedule }.policy do
......
---
title: Fix unauthorized user is able to access schedule pipeline variables and values
merge_request:
author:
type: security
...@@ -36,7 +36,7 @@ module API ...@@ -36,7 +36,7 @@ module API
requires :pipeline_schedule_id, type: Integer, desc: 'The pipeline schedule id' requires :pipeline_schedule_id, type: Integer, desc: 'The pipeline schedule id'
end end
get ':id/pipeline_schedules/:pipeline_schedule_id' do get ':id/pipeline_schedules/:pipeline_schedule_id' do
present pipeline_schedule, with: Entities::Ci::PipelineScheduleDetails present pipeline_schedule, with: Entities::Ci::PipelineScheduleDetails, user: current_user
end end
desc 'Create a new pipeline schedule' do desc 'Create a new pipeline schedule' do
......
...@@ -5,7 +5,9 @@ module API ...@@ -5,7 +5,9 @@ module API
module Ci module Ci
class PipelineScheduleDetails < PipelineSchedule class PipelineScheduleDetails < PipelineSchedule
expose :last_pipeline, using: ::API::Entities::Ci::PipelineBasic expose :last_pipeline, using: ::API::Entities::Ci::PipelineBasic
expose :variables, using: ::API::Entities::Ci::Variable expose :variables,
using: ::API::Entities::Ci::Variable,
if: ->(schedule, options) { Ability.allowed?(options[:user], :read_pipeline_schedule_variables, schedule) }
end end
end end
end end
......
...@@ -137,7 +137,7 @@ RSpec.describe ProjectPolicy do ...@@ -137,7 +137,7 @@ RSpec.describe ProjectPolicy do
it 'disallows all permissions except pipeline when the feature is disabled' do it 'disallows all permissions except pipeline when the feature is disabled' do
builds_permissions = [ builds_permissions = [
:create_build, :read_build, :update_build, :admin_build, :destroy_build, :create_build, :read_build, :update_build, :admin_build, :destroy_build,
:create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, :create_pipeline_schedule, :read_pipeline_schedule_variables, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
:create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment, :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
:create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster, :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster,
:create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment
......
...@@ -97,46 +97,112 @@ RSpec.describe API::Ci::PipelineSchedules do ...@@ -97,46 +97,112 @@ RSpec.describe API::Ci::PipelineSchedules do
pipeline_schedule.pipelines << build(:ci_pipeline, project: project) pipeline_schedule.pipelines << build(:ci_pipeline, project: project)
end end
context 'authenticated user with valid permissions' do matcher :return_pipeline_schedule_sucessfully do
it 'returns pipeline_schedule details' do match_unless_raises do |reponse|
get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", developer)
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
expect(response).to match_response_schema('pipeline_schedule') expect(response).to match_response_schema('pipeline_schedule')
end end
end
it 'responds with 404 Not Found if requesting non-existing pipeline_schedule' do shared_context 'request with project permissions' do
get api("/projects/#{project.id}/pipeline_schedules/-5", developer) context 'authenticated user with project permisions' do
before do
project.add_maintainer(user)
end
expect(response).to have_gitlab_http_status(:not_found) it 'returns pipeline_schedule details' do
get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user)
expect(response).to return_pipeline_schedule_sucessfully
expect(json_response).to have_key('variables')
end
end end
end end
context 'authenticated user with invalid permissions' do shared_examples 'request with schedule ownership' do
it 'does not return pipeline_schedules list' do context 'authenticated user with pipeline schedule ownership' do
get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user) it 'returns pipeline_schedule details' do
get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", developer)
expect(response).to have_gitlab_http_status(:not_found) expect(response).to return_pipeline_schedule_sucessfully
expect(json_response).to have_key('variables')
end
end end
end end
context 'authenticated user with insufficient permissions' do shared_examples 'request with unauthenticated user' do
before do context 'with unauthenticated user' do
project.add_guest(user) it 'does not return pipeline_schedule' do
get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}")
expect(response).to have_gitlab_http_status(:unauthorized)
end
end end
end
it 'does not return pipeline_schedules list' do shared_examples 'request with non-existing pipeline_schedule' do
get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user) it 'responds with 404 Not Found if requesting non-existing pipeline_schedule' do
get api("/projects/#{project.id}/pipeline_schedules/-5", developer)
expect(response).to have_gitlab_http_status(:not_found) expect(response).to have_gitlab_http_status(:not_found)
end end
end end
context 'unauthenticated user' do context 'with private project' do
it 'does not return pipeline_schedules list' do it_behaves_like 'request with schedule ownership'
get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}") it_behaves_like 'request with project permissions'
it_behaves_like 'request with unauthenticated user'
it_behaves_like 'request with non-existing pipeline_schedule'
expect(response).to have_gitlab_http_status(:unauthorized) context 'authenticated user with no project permissions' do
it 'does not return pipeline_schedule' do
get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user)
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'authenticated user with insufficient project permissions' do
before do
project.add_guest(user)
end
it 'does not return pipeline_schedule' do
get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user)
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
context 'with public project' do
let_it_be(:project) { create(:project, :repository, :public, public_builds: false) }
it_behaves_like 'request with schedule ownership'
it_behaves_like 'request with project permissions'
it_behaves_like 'request with unauthenticated user'
it_behaves_like 'request with non-existing pipeline_schedule'
context 'authenticated user with no project permissions' do
it 'returns pipeline_schedule with no variables' do
get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user)
expect(response).to return_pipeline_schedule_sucessfully
expect(json_response).not_to have_key('variables')
end
end
context 'authenticated user with insufficient project permissions' do
before do
project.add_guest(user)
end
it 'returns pipeline_schedule with no variables' do
get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user)
expect(response).to return_pipeline_schedule_sucessfully
expect(json_response).not_to have_key('variables')
end
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment