diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-03 08:27:55 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-03 08:27:55 +0000 |
commit | e36433a15c78f372516e106a8e772bf47c8e9769 (patch) | |
tree | 50c090b3565fefe43b7e0e4e71d1c15084471ab9 | |
parent | 086a9faab8bd90f37f9f6be7f8f839a65d388cfa (diff) | |
download | gitlab-ce-e36433a15c78f372516e106a8e772bf47c8e9769.tar.gz |
Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee
-rw-r--r-- | app/policies/project_policy.rb | 1 | ||||
-rw-r--r-- | changelogs/unreleased/security-ci-job-token-has-access-to-private-files.yml | 5 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 55 |
3 files changed, 50 insertions, 11 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 7454343a357..bddd86d7ada 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -392,6 +392,7 @@ class ProjectPolicy < BasePolicy rule { repository_disabled }.policy do prevent :push_code prevent :download_code + prevent :build_download_code prevent :fork_project prevent :read_commit_status prevent :read_pipeline diff --git a/changelogs/unreleased/security-ci-job-token-has-access-to-private-files.yml b/changelogs/unreleased/security-ci-job-token-has-access-to-private-files.yml new file mode 100644 index 00000000000..b96480de3c5 --- /dev/null +++ b/changelogs/unreleased/security-ci-job-token-has-access-to-private-files.yml @@ -0,0 +1,5 @@ +--- +title: Prevent fetching repository code with unauthorized ci token +merge_request: +author: +type: security diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index db643e3a31f..b1fab6d2f21 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -5,6 +5,7 @@ require 'spec_helper' describe ProjectPolicy do include ExternalAuthorizationServiceHelpers include_context 'ProjectPolicy context' + let_it_be(:other_user) { create(:user) } let_it_be(:guest) { create(:user) } let_it_be(:reporter) { create(:user) } let_it_be(:developer) { create(:user) } @@ -161,7 +162,7 @@ describe ProjectPolicy do subject { described_class.new(owner, project) } it 'disallows all permissions when the feature is disabled' do - project.project_feature.update(merge_requests_access_level: ProjectFeature::DISABLED) + project.project_feature.update!(merge_requests_access_level: ProjectFeature::DISABLED) mr_permissions = [:create_merge_request_from, :read_merge_request, :update_merge_request, :admin_merge_request, @@ -213,7 +214,7 @@ describe ProjectPolicy do subject { described_class.new(owner, project) } before do - project.project_feature.update(builds_access_level: ProjectFeature::DISABLED) + project.project_feature.update!(builds_access_level: ProjectFeature::DISABLED) end it 'disallows all permissions except pipeline when the feature is disabled' do @@ -233,7 +234,7 @@ describe ProjectPolicy do subject { described_class.new(guest, project) } before do - project.project_feature.update(builds_access_level: ProjectFeature::PRIVATE) + project.project_feature.update!(builds_access_level: ProjectFeature::PRIVATE) end it 'disallows pipeline and commit_status permissions' do @@ -248,22 +249,54 @@ describe ProjectPolicy do end context 'repository feature' do - subject { described_class.new(owner, project) } - - it 'disallows all permissions when the feature is disabled' do - project.project_feature.update(repository_access_level: ProjectFeature::DISABLED) - - repository_permissions = [ + let(:repository_permissions) do + [ :create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline, :create_build, :read_build, :update_build, :admin_build, :destroy_build, :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment, :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment, - :destroy_release + :destroy_release, :download_code, :build_download_code ] + end + + context 'when user is a project member' do + subject { described_class.new(owner, project) } + + context 'when it is disabled' do + before do + project.project_feature.update!( + repository_access_level: ProjectFeature::DISABLED, + merge_requests_access_level: ProjectFeature::DISABLED, + builds_access_level: ProjectFeature::DISABLED, + forking_access_level: ProjectFeature::DISABLED + ) + end - expect_disallowed(*repository_permissions) + it 'disallows all permissions' do + expect_disallowed(*repository_permissions) + end + end + end + + context 'when user is some other user' do + subject { described_class.new(other_user, project) } + + context 'when access level is private' do + before do + project.project_feature.update!( + repository_access_level: ProjectFeature::PRIVATE, + merge_requests_access_level: ProjectFeature::PRIVATE, + builds_access_level: ProjectFeature::PRIVATE, + forking_access_level: ProjectFeature::PRIVATE + ) + end + + it 'disallows all permissions' do + expect_disallowed(*repository_permissions) + end + end end end |