Merge branch 'security-fix-badges-leaked-to-unauthorized-users-11-11' into '11-11-stable'

Don't display badges when builds are restricted See merge request gitlab/gitlabhq!3186

Merge branch 'security-fix-badges-leaked-to-unauthorized-users-11-11' into '11-11-stable'
Don't display badges when builds are restricted See merge request gitlab/gitlabhq!3186
ae2d851b · GitLab Release Tools Bot · 57d0cc87 · d1fdbf8c · ae2d851b · ae2d851b
Commit ae2d851b authored Jul 24, 2019 by GitLab Release Tools Bot
3 changed files
--- a/app/controllers/projects/badges_controller.rb
+++ b/app/controllers/projects/badges_controller.rb
@@ -3,7 +3,8 @@
 class Projects::BadgesController < Projects::ApplicationController
  layout 'project_settings'
  before_action :authorize_admin_project!, only: [:index]
-  before_action :no_cache_headers, except: [:index]
+  before_action :no_cache_headers, only: [:pipeline, :coverage]
+  before_action :authorize_read_build!, only: [:pipeline, :coverage]
  def pipeline
    pipeline_status = Gitlab::Badge::Pipeline::Status

--- a/changelogs/unreleased/security-fix-badges-leaked-to-unauthorized-users.yml
+++ b/changelogs/unreleased/security-fix-badges-leaked-to-unauthorized-users.yml
+---
+title: Show badges if pipelines are public otherwise default to project permissions.
+erge_request:
+author:
+type: security
--- a/spec/controllers/projects/badges_controller_spec.rb
+++ b/spec/controllers/projects/badges_controller_spec.rb
@@ -7,32 +7,54 @@ describe Projects::BadgesController do
  let!(:pipeline) { create(:ci_empty_pipeline) }
  let(:user) { create(:user) }
+  shared_examples 'a badge resource' do |badge_type|
+    context 'when pipelines are public' do
      before do
-    project.add_maintainer(user)
+        project.update!(public_builds: true)
-    sign_in(user)
+      end
+      context 'when project is public' do
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
        end
-  it 'requests the pipeline badge successfully' do
+        it "returns the #{badge_type} badge to unauthenticated users" do
-    get_badge(:pipeline)
+          get_badge(badge_type)
          expect(response).to have_gitlab_http_status(:ok)
        end
+      end
-  it 'requests the coverage badge successfully' do
+      context 'when project is restricted' do
-    get_badge(:coverage)
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
+          project.add_guest(user)
+          sign_in(user)
+        end
+        it "returns the #{badge_type} badge to guest users" do
+          get_badge(badge_type)
          expect(response).to have_gitlab_http_status(:ok)
        end
+      end
+    end
+    context 'format' do
+      before do
+        project.add_maintainer(user)
+        sign_in(user)
+      end
      it 'renders the `flat` badge layout by default' do
-    get_badge(:coverage)
+        get_badge(badge_type)
        expect(response).to render_template('projects/badges/badge')
      end
      context 'when style param is set to `flat`' do
        it 'renders the `flat` badge layout' do
-      get_badge(:coverage, 'flat')
+          get_badge(badge_type, 'flat')
          expect(response).to render_template('projects/badges/badge')
        end
@@ -40,7 +62,7 @@ describe Projects::BadgesController do
      context 'when style param is set to an invalid type' do
        it 'renders the `flat` (default) badge layout' do
-      get_badge(:coverage, 'xxx')
+          get_badge(badge_type, 'xxx')
          expect(response).to render_template('projects/badges/badge')
        end
@@ -48,11 +70,53 @@ describe Projects::BadgesController do
      context 'when style param is set to `flat-square`' do
        it 'renders the `flat-square` badge layout' do
-      get_badge(:coverage, 'flat-square')
+          get_badge(badge_type, 'flat-square')
          expect(response).to render_template('projects/badges/badge_flat-square')
        end
      end
+    end
+    context 'when pipelines are not public' do
+      before do
+        project.update!(public_builds: false)
+      end
+      context 'when project is public' do
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+        end
+        it 'returns 404 to unauthenticated users' do
+          get_badge(badge_type)
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+      context 'when project is restricted to the user' do
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
+          project.add_guest(user)
+          sign_in(user)
+        end
+        it 'defaults to project permissions' do
+          get_badge(:coverage)
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+    end
+  end
+  describe '#pipeline' do
+    it_behaves_like 'a badge resource', :pipeline
+  end
+  describe '#coverage' do
+    it_behaves_like 'a badge resource', :coverage
+  end
  def get_badge(badge, style = nil)
    params = {