diff options
| author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-06-26 21:41:00 +0000 |
|---|---|---|
| committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-06-26 21:41:00 +0000 |
| commit | dd6e07eee94fec79c052a7ec0182b4196f8db91b (patch) | |
| tree | 25ff2147ef4c657ceeb997c14ebd38e7876a7089 | |
| parent | 87c6c8dabc402c4692e426d48d58febd4994be7f (diff) | |
| parent | 21b8ccde8af20e5ae35e66de32fbb7947bc70372 (diff) | |
| download | gitlab-ce-dd6e07eee94fec79c052a7ec0182b4196f8db91b.tar.gz | |
Merge branch 'security-12-0-mr-head-pipeline-leak' into '12-0-stable'
Fix MR head pipeline leak
See merge request gitlab/gitlabhq!3154
| -rw-r--r-- | changelogs/unreleased/security-12-0-mr-head-pipeline-leak.yml | 5 | ||||
| -rw-r--r-- | lib/api/entities.rb | 4 | ||||
| -rw-r--r-- | spec/requests/api/merge_requests_spec.rb | 25 |
3 files changed, 33 insertions, 1 deletions
diff --git a/changelogs/unreleased/security-12-0-mr-head-pipeline-leak.yml b/changelogs/unreleased/security-12-0-mr-head-pipeline-leak.yml new file mode 100644 index 00000000000..fe8c4dfb3c8 --- /dev/null +++ b/changelogs/unreleased/security-12-0-mr-head-pipeline-leak.yml @@ -0,0 +1,5 @@ +--- +title: Gate MR head_pipeline behind read_pipeline ability. +merge_request: +author: +type: security diff --git a/lib/api/entities.rb b/lib/api/entities.rb index 9c7a7fad742..effb5b1358c 100644 --- a/lib/api/entities.rb +++ b/lib/api/entities.rb @@ -757,7 +757,9 @@ module API merge_request.metrics&.pipeline end - expose :head_pipeline, using: 'API::Entities::Pipeline' + expose :head_pipeline, using: 'API::Entities::Pipeline', if: -> (_, options) do + Ability.allowed?(options[:current_user], :read_pipeline, options[:project]) + end expose :diff_refs, using: Entities::DiffRefs diff --git a/spec/requests/api/merge_requests_spec.rb b/spec/requests/api/merge_requests_spec.rb index 9f9180bc8c9..e00a513b31e 100644 --- a/spec/requests/api/merge_requests_spec.rb +++ b/spec/requests/api/merge_requests_spec.rb @@ -834,6 +834,31 @@ describe API::MergeRequests do end end + context 'head_pipeline' do + before do + merge_request.update(head_pipeline: create(:ci_pipeline)) + merge_request.project.project_feature.update(builds_access_level: 10) + end + + context 'when user can read the pipeline' do + it 'exposes pipeline information' do + get api("/projects/#{project.id}/merge_requests/#{merge_request.iid}", user) + + expect(json_response).to include('head_pipeline') + end + end + + context 'when user can not read the pipeline' do + let(:guest) { create(:user) } + + it 'does not expose pipeline information' do + get api("/projects/#{project.id}/merge_requests/#{merge_request.iid}", guest) + + expect(json_response).not_to include('head_pipeline') + end + end + end + it 'returns the commits behind the target branch when include_diverged_commits_count is present' do allow_any_instance_of(merge_request.class).to receive(:diverged_commits_count).and_return(1) |