diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-03-04 18:37:01 +0000 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-03-04 18:37:01 +0000 |
commit | d8b4e585a131879d3094dea287d19bfa0cf18333 (patch) | |
tree | 3803059194772bb3f93eca5dfd84107549c33fcc | |
parent | 9d9591f43c0d0948267a75fc098f0c325aa75535 (diff) | |
parent | d5c858cd4032b3bf37c6fbe47340ccea825503bc (diff) | |
download | gitlab-ce-d8b4e585a131879d3094dea287d19bfa0cf18333.tar.gz |
Merge branch 'security-tags-oracle' into 'master'
Prevent Releases links API to leak tag existence
Closes #2795
See merge request gitlab/gitlabhq!2893
-rw-r--r-- | changelogs/unreleased/security-tags-oracle.yml | 5 | ||||
-rw-r--r-- | lib/api/release/links.rb | 2 | ||||
-rw-r--r-- | spec/requests/api/release/links_spec.rb | 16 |
3 files changed, 23 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-tags-oracle.yml b/changelogs/unreleased/security-tags-oracle.yml new file mode 100644 index 00000000000..eb8ad6f646c --- /dev/null +++ b/changelogs/unreleased/security-tags-oracle.yml @@ -0,0 +1,5 @@ +--- +title: Prevent releases links API to leak tag existance +merge_request: +author: +type: security diff --git a/lib/api/release/links.rb b/lib/api/release/links.rb index e3072684ef7..5d1b40e3bff 100644 --- a/lib/api/release/links.rb +++ b/lib/api/release/links.rb @@ -8,6 +8,8 @@ module API RELEASE_ENDPOINT_REQUIREMETS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS .merge(tag_name: API::NO_SLASH_URL_PART_REGEX) + before { authorize! :read_release, user_project } + params do requires :id, type: String, desc: 'The ID of a project' end diff --git a/spec/requests/api/release/links_spec.rb b/spec/requests/api/release/links_spec.rb index ba948e37e2f..3a59052bb29 100644 --- a/spec/requests/api/release/links_spec.rb +++ b/spec/requests/api/release/links_spec.rb @@ -73,6 +73,22 @@ describe API::Release::Links do expect(response).to have_gitlab_http_status(:ok) end end + + context 'when project is public and the repository is private' do + let(:project) { create(:project, :repository, :public, :repository_private) } + + it_behaves_like '403 response' do + let(:request) { get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member) } + end + + context 'when the release does not exists' do + let!(:release) { } + + it_behaves_like '403 response' do + let(:request) { get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member) } + end + end + end end end |