Merge branch 'security-tags-oracle-11-8' into '11-8-stable'

Prevent Releases links API to leak tag existence

See merge request gitlab/gitlabhq!2908

3 files changed, 23 insertions, 0 deletions

diff --git a/changelogs/unreleased/security-tags-oracle.yml b/changelogs/unreleased/security-tags-oracle.yml
new file mode 100644
index 00000000000..eb8ad6f646c
--- /dev/null
+++ b/changelogs/unreleased/security-tags-oracle.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent releases links API to leak tag existance
+merge_request:
+author:
+type: security
diff --git a/lib/api/release/links.rb b/lib/api/release/links.rb
index e3072684ef7..5d1b40e3bff 100644
--- a/lib/api/release/links.rb
+++ b/lib/api/release/links.rb
@@ -8,6 +8,8 @@ module API
       RELEASE_ENDPOINT_REQUIREMETS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS
         .merge(tag_name: API::NO_SLASH_URL_PART_REGEX)
 
+      before { authorize! :read_release, user_project }
+
       params do
         requires :id, type: String, desc: 'The ID of a project'
       end
diff --git a/spec/requests/api/release/links_spec.rb b/spec/requests/api/release/links_spec.rb
index ba948e37e2f..3a59052bb29 100644
--- a/spec/requests/api/release/links_spec.rb
+++ b/spec/requests/api/release/links_spec.rb
@@ -73,6 +73,22 @@ describe API::Release::Links do
           expect(response).to have_gitlab_http_status(:ok)
         end
       end
+
+      context 'when project is public and the repository is private' do
+        let(:project) { create(:project, :repository, :public, :repository_private) }
+
+        it_behaves_like '403 response' do
+          let(:request) { get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member) }
+        end
+
+        context 'when the release does not exists' do
+          let!(:release) { }
+
+          it_behaves_like '403 response' do
+            let(:request) { get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member) }
+          end
+        end
+      end
     end
   end