Disable Github Importer API by settings

The Github importer can be disable in the settings. the API must deny the requests when this setting is disabled.

Disable Github Importer API by settings
The Github importer can be disable in the settings. the API must deny the requests when this setting is disabled.
dafdeb00 · Kassio Borges · 101422cc · dafdeb00 · dafdeb00 · dafdeb00
Commit dafdeb00 authored May 27, 2020 by Kassio Borges
3 changed files
--- a/changelogs/unreleased/security-disable-github-import-api-by-seetings.yml
+++ b/changelogs/unreleased/security-disable-github-import-api-by-seetings.yml
+---
+title: Disable Github Importer API by settings
+merge_request:
+author:
+type: security
--- a/lib/api/import_github.rb
+++ b/lib/api/import_github.rb
@@ -4,6 +4,10 @@ module API
  class ImportGithub < Grape::API
    rescue_from Octokit::Unauthorized, with: :provider_unauthorized

+    before do
+      forbidden! unless Gitlab::CurrentSettings.import_sources&.include?('github')
+    end
+
    helpers do
      def client
        @client ||= Gitlab::LegacyGithubImport::Client.new(params[:personal_access_token], client_options)

--- a/spec/requests/api/import_github_spec.rb
+++ b/spec/requests/api/import_github_spec.rb
@@ -26,6 +26,18 @@ describe API::ImportGithub do
      end
    end

+    it 'rejects requests when Github Importer is disabled' do
+      stub_application_setting(import_sources: nil)
+
+      post api("/import/github", user), params: {
+        target_namespace: user.namespace_path,
+        personal_access_token: token,
+        repo_id: non_existing_record_id
+      }
+
+      expect(response).to have_gitlab_http_status(:forbidden)
+    end
+
    it 'returns 201 response when the project is imported successfully' do
      allow(Gitlab::LegacyGithubImport::ProjectCreator)
        .to receive(:new).with(provider_repo, provider_repo.name, user.namespace, user, access_params, type: provider)