Merge branch 'security-file-template-project' into 'master'

Do not expose private group ID through group API Closes #118 See merge request gitlab-org/security/gitlab!447

Merge branch 'security-file-template-project' into 'master'
Do not expose private group ID through group API Closes #118 See merge request gitlab-org/security/gitlab!447
f13b8c4d · GitLab Release Tools Bot · 03213b25 · dd199ff7 · f13b8c4d · f13b8c4d
Commit f13b8c4d authored Apr 27, 2020 by GitLab Release Tools Bot
3 changed files
--- a/changelogs/unreleased/security-file-template-project.yml
+++ b/changelogs/unreleased/security-file-template-project.yml
+---
+title: Do not return private project ID without permission
+merge_request:
+author:
+type: security
--- a/ee/lib/ee/api/entities/group.rb
+++ b/ee/lib/ee/api/entities/group.rb
@@ -14,7 +14,11 @@ module EE

          expose :checked_file_template_project_id,
                 as: :file_template_project_id,
-                 if: ->(group, options) { group.feature_available?(:custom_file_templates_for_namespace) }
+                 if: ->(group, options) {
+                       group.feature_available?(:custom_file_templates_for_namespace) &&
+                       Ability.allowed?(options[:current_user], :read_project, group.checked_file_template_project)
+                     }
+
          expose :marked_for_deletion_on, if: ->(group, _) { group.feature_available?(:adjourned_deletion_for_projects_and_groups) }
        end
      end

--- a/ee/spec/requests/api/groups_spec.rb
+++ b/ee/spec/requests/api/groups_spec.rb
@@ -106,6 +106,41 @@ describe API::Groups do
        end
      end
    end
+
+    context 'file_template_project_id is a private project' do
+      let_it_be(:private_project) { create(:project, :private, group: group) }
+
+      before do
+        stub_licensed_features(custom_file_templates_for_namespace: true)
+        group.update_attribute(:file_template_project_id, private_project.id)
+      end
+
+      context 'user has permission to private project' do
+        it 'returns file_template_project_id' do
+          private_project.add_maintainer(user)
+
+          get api("/groups/#{group.id}", user)
+
+          expect(json_response).to have_key 'file_template_project_id'
+        end
+      end
+
+      context 'user does not have permission to private project' do
+        it 'does not return file_template_project_id' do
+          get api("/groups/#{group.id}", another_user)
+
+          expect(json_response).not_to have_key 'file_template_project_id'
+        end
+      end
+
+      context 'user is not logged in' do
+        it 'does not return file_template_project_id' do
+          get api("/groups/#{group.id}")
+
+          expect(json_response).not_to have_key 'file_template_project_id'
+        end
+      end
+    end
  end

  describe 'PUT /groups/:id' do