Commit fa77293b authored by Marin Jankovski's avatar Marin Jankovski

Merge branch 'security-mr-head-pipeline-leak' into 'master'

[master] Fix MR head pipeline leak

See merge request gitlab/gitlabhq!3148
parents 108a6e4f 4b8097c7
---
title: Gate MR head_pipeline behind read_pipeline ability.
merge_request:
author:
type: security
......@@ -757,7 +757,9 @@ module API
merge_request.metrics&.pipeline
end
expose :head_pipeline, using: 'API::Entities::Pipeline'
expose :head_pipeline, using: 'API::Entities::Pipeline', if: -> (_, options) do
Ability.allowed?(options[:current_user], :read_pipeline, options[:project])
end
expose :diff_refs, using: Entities::DiffRefs
......
......@@ -834,6 +834,31 @@ describe API::MergeRequests do
end
end
context 'head_pipeline' do
before do
merge_request.update(head_pipeline: create(:ci_pipeline))
merge_request.project.project_feature.update(builds_access_level: 10)
end
context 'when user can read the pipeline' do
it 'exposes pipeline information' do
get api("/projects/#{project.id}/merge_requests/#{merge_request.iid}", user)
expect(json_response).to include('head_pipeline')
end
end
context 'when user can not read the pipeline' do
let(:guest) { create(:user) }
it 'does not expose pipeline information' do
get api("/projects/#{project.id}/merge_requests/#{merge_request.iid}", guest)
expect(json_response).not_to include('head_pipeline')
end
end
end
it 'returns the commits behind the target branch when include_diverged_commits_count is present' do
allow_any_instance_of(merge_request.class).to receive(:diverged_commits_count).and_return(1)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment