summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2020-06-03 08:27:55 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2020-06-03 08:27:55 +0000
commite36433a15c78f372516e106a8e772bf47c8e9769 (patch)
tree50c090b3565fefe43b7e0e4e71d1c15084471ab9
parent086a9faab8bd90f37f9f6be7f8f839a65d388cfa (diff)
downloadgitlab-ce-e36433a15c78f372516e106a8e772bf47c8e9769.tar.gz
Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee
-rw-r--r--app/policies/project_policy.rb1
-rw-r--r--changelogs/unreleased/security-ci-job-token-has-access-to-private-files.yml5
-rw-r--r--spec/policies/project_policy_spec.rb55
3 files changed, 50 insertions, 11 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 7454343a357..bddd86d7ada 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -392,6 +392,7 @@ class ProjectPolicy < BasePolicy
rule { repository_disabled }.policy do
prevent :push_code
prevent :download_code
+ prevent :build_download_code
prevent :fork_project
prevent :read_commit_status
prevent :read_pipeline
diff --git a/changelogs/unreleased/security-ci-job-token-has-access-to-private-files.yml b/changelogs/unreleased/security-ci-job-token-has-access-to-private-files.yml
new file mode 100644
index 00000000000..b96480de3c5
--- /dev/null
+++ b/changelogs/unreleased/security-ci-job-token-has-access-to-private-files.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent fetching repository code with unauthorized ci token
+merge_request:
+author:
+type: security
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index db643e3a31f..b1fab6d2f21 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -5,6 +5,7 @@ require 'spec_helper'
describe ProjectPolicy do
include ExternalAuthorizationServiceHelpers
include_context 'ProjectPolicy context'
+ let_it_be(:other_user) { create(:user) }
let_it_be(:guest) { create(:user) }
let_it_be(:reporter) { create(:user) }
let_it_be(:developer) { create(:user) }
@@ -161,7 +162,7 @@ describe ProjectPolicy do
subject { described_class.new(owner, project) }
it 'disallows all permissions when the feature is disabled' do
- project.project_feature.update(merge_requests_access_level: ProjectFeature::DISABLED)
+ project.project_feature.update!(merge_requests_access_level: ProjectFeature::DISABLED)
mr_permissions = [:create_merge_request_from, :read_merge_request,
:update_merge_request, :admin_merge_request,
@@ -213,7 +214,7 @@ describe ProjectPolicy do
subject { described_class.new(owner, project) }
before do
- project.project_feature.update(builds_access_level: ProjectFeature::DISABLED)
+ project.project_feature.update!(builds_access_level: ProjectFeature::DISABLED)
end
it 'disallows all permissions except pipeline when the feature is disabled' do
@@ -233,7 +234,7 @@ describe ProjectPolicy do
subject { described_class.new(guest, project) }
before do
- project.project_feature.update(builds_access_level: ProjectFeature::PRIVATE)
+ project.project_feature.update!(builds_access_level: ProjectFeature::PRIVATE)
end
it 'disallows pipeline and commit_status permissions' do
@@ -248,22 +249,54 @@ describe ProjectPolicy do
end
context 'repository feature' do
- subject { described_class.new(owner, project) }
-
- it 'disallows all permissions when the feature is disabled' do
- project.project_feature.update(repository_access_level: ProjectFeature::DISABLED)
-
- repository_permissions = [
+ let(:repository_permissions) do
+ [
:create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline,
:create_build, :read_build, :update_build, :admin_build, :destroy_build,
:create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
:create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
:create_cluster, :read_cluster, :update_cluster, :admin_cluster,
:create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment,
- :destroy_release
+ :destroy_release, :download_code, :build_download_code
]
+ end
+
+ context 'when user is a project member' do
+ subject { described_class.new(owner, project) }
+
+ context 'when it is disabled' do
+ before do
+ project.project_feature.update!(
+ repository_access_level: ProjectFeature::DISABLED,
+ merge_requests_access_level: ProjectFeature::DISABLED,
+ builds_access_level: ProjectFeature::DISABLED,
+ forking_access_level: ProjectFeature::DISABLED
+ )
+ end
- expect_disallowed(*repository_permissions)
+ it 'disallows all permissions' do
+ expect_disallowed(*repository_permissions)
+ end
+ end
+ end
+
+ context 'when user is some other user' do
+ subject { described_class.new(other_user, project) }
+
+ context 'when access level is private' do
+ before do
+ project.project_feature.update!(
+ repository_access_level: ProjectFeature::PRIVATE,
+ merge_requests_access_level: ProjectFeature::PRIVATE,
+ builds_access_level: ProjectFeature::PRIVATE,
+ forking_access_level: ProjectFeature::PRIVATE
+ )
+ end
+
+ it 'disallows all permissions' do
+ expect_disallowed(*repository_permissions)
+ end
+ end
end
end