Merge branch 'security-mr-head-pipeline-leak' into 'master'

[master] Fix MR head pipeline leak

See merge request gitlab/gitlabhq!3148

changelogs/unreleased/security-mr-head-pipeline-leak.yml

+---
+title: Gate MR head_pipeline behind read_pipeline ability.
+merge_request:
+author:
+type: security

lib/api/entities.rb

@@ -757,7 +757,9 @@ module API
         merge_request.metrics&.pipeline
       end
 
-      expose :head_pipeline, using: 'API::Entities::Pipeline'
+      expose :head_pipeline, using: 'API::Entities::Pipeline', if: -> (_, options) do
+        Ability.allowed?(options[:current_user], :read_pipeline, options[:project])
+      end
 
       expose :diff_refs, using: Entities::DiffRefs
 

spec/requests/api/merge_requests_spec.rb

@@ -834,6 +834,31 @@ describe API::MergeRequests do
       end
     end
 
+    context 'head_pipeline' do
+      before do
+        merge_request.update(head_pipeline: create(:ci_pipeline))
+        merge_request.project.project_feature.update(builds_access_level: 10)
+      end
+
+      context 'when user can read the pipeline' do
+        it 'exposes pipeline information' do
+          get api("/projects/#{project.id}/merge_requests/#{merge_request.iid}", user)
+
+          expect(json_response).to include('head_pipeline')
+        end
+      end
+
+      context 'when user can not read the pipeline' do
+        let(:guest) { create(:user) }
+
+        it 'does not expose pipeline information' do
+          get api("/projects/#{project.id}/merge_requests/#{merge_request.iid}", guest)
+
+          expect(json_response).not_to include('head_pipeline')
+        end
+      end
+    end
+
     it 'returns the commits behind the target branch when include_diverged_commits_count is present' do
       allow_any_instance_of(merge_request.class).to receive(:diverged_commits_count).and_return(1)