diff options
| author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-09-26 13:52:35 +0000 |
|---|---|---|
| committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-09-26 13:52:35 +0000 |
| commit | 1877146807970691db866096791b7bdd7596c883 (patch) | |
| tree | 0aca10097e1bd42bff9e8051c0a183f798d6490c | |
| parent | f6fce08b36f3dcd3acf6156209d22b08b7967b9c (diff) | |
| parent | f991af9a16ab9da6b47ca6082de37acfb4f538d0 (diff) | |
| download | gitlab-ce-1877146807970691db866096791b7bdd7596c883.tar.gz | |
Merge branch 'security-64938-dont-disclose-path-12-1-ce' into '12-1-stable'
Redirect user to root path after unsubscribing from private resource
See merge request gitlab/gitlabhq!3418
| -rw-r--r-- | app/controllers/sent_notifications_controller.rb | 6 | ||||
| -rw-r--r-- | changelogs/unreleased/security-64938-dont-disclose-path.yml | 6 | ||||
| -rw-r--r-- | spec/controllers/sent_notifications_controller_spec.rb | 29 |
3 files changed, 40 insertions, 1 deletions
diff --git a/app/controllers/sent_notifications_controller.rb b/app/controllers/sent_notifications_controller.rb index 77757c4a3ef..267f8caab77 100644 --- a/app/controllers/sent_notifications_controller.rb +++ b/app/controllers/sent_notifications_controller.rb @@ -19,7 +19,11 @@ class SentNotificationsController < ApplicationController flash[:notice] = _("You have been unsubscribed from this thread.") if current_user - redirect_to noteable_path(noteable) + if current_user.can?(:"read_#{noteable.class.to_ability_name}", noteable) + redirect_to noteable_path(noteable) + else + redirect_to root_path + end else redirect_to new_user_session_path end diff --git a/changelogs/unreleased/security-64938-dont-disclose-path.yml b/changelogs/unreleased/security-64938-dont-disclose-path.yml new file mode 100644 index 00000000000..0c858401233 --- /dev/null +++ b/changelogs/unreleased/security-64938-dont-disclose-path.yml @@ -0,0 +1,6 @@ +--- +title: Fix new project path being disclosed through unsubscribe link of issue/merge + requests +merge_request: +author: +type: security diff --git a/spec/controllers/sent_notifications_controller_spec.rb b/spec/controllers/sent_notifications_controller_spec.rb index 89857a9d21b..52ede54a22b 100644 --- a/spec/controllers/sent_notifications_controller_spec.rb +++ b/spec/controllers/sent_notifications_controller_spec.rb @@ -208,6 +208,35 @@ describe SentNotificationsController do .to redirect_to(project_merge_request_path(project, merge_request)) end end + + context 'when project is private' do + context 'and user does not have access' do + let(:noteable) { issue } + let(:target_project) { private_project } + + before do + get(:unsubscribe, params: { id: sent_notification.reply_key }) + end + + it 'unsubscribes user and redirects to root path' do + expect(response).to redirect_to(root_path) + end + end + + context 'and user has access' do + let(:noteable) { issue } + let(:target_project) { private_project } + + before do + private_project.add_developer(user) + get(:unsubscribe, params: { id: sent_notification.reply_key }) + end + + it 'unsubscribes user and redirects to issue path' do + expect(response).to redirect_to(project_issue_path(private_project, issue)) + end + end + end end end end |