Add latest changes from gitlab-org/security/gitlab@13-8-stable-ee

7 files changed, 25 insertions, 0 deletions

diff --git a/app/controllers/projects/releases_controller.rb b/app/controllers/projects/releases_controller.rb
index a6e795a2b91..614bada09ed 100644
--- a/app/controllers/projects/releases_controller.rb
+++ b/app/controllers/projects/releases_controller.rb
@@ -5,6 +5,9 @@ class Projects::ReleasesController < Projects::ApplicationController
   before_action :require_non_empty_project, except: [:index]
   before_action :release, only: %i[edit show update downloads]
   before_action :authorize_read_release!
+  # We have to check `download_code` permission because detail URL path
+  # contains git-tag name.
+  before_action :authorize_download_code!, except: [:index]
   before_action do
     push_frontend_feature_flag(:graphql_release_data, project, default_enabled: true)
     push_frontend_feature_flag(:graphql_milestone_stats, project, default_enabled: true)
diff --git a/app/presenters/release_presenter.rb b/app/presenters/release_presenter.rb
index b11585d0d1c..aa6429ab012 100644
--- a/app/presenters/release_presenter.rb
+++ b/app/presenters/release_presenter.rb
@@ -20,6 +20,8 @@ class ReleasePresenter < Gitlab::View::Presenter::Delegated
   end
 
   def self_url
+    return unless can_download_code?
+
     project_release_url(project, release)
   end
 
diff --git a/changelogs/unreleased/security-guest-can-read-tag-from-releases.yml b/changelogs/unreleased/security-guest-can-read-tag-from-releases.yml
new file mode 100644
index 00000000000..a3b9b21d90a
--- /dev/null
+++ b/changelogs/unreleased/security-guest-can-read-tag-from-releases.yml
@@ -0,0 +1,5 @@
+---
+title: Avoid exposing release links when the user cannot read git-tag/repository
+merge_request:
+author:
+type: security
diff --git a/spec/controllers/projects/releases_controller_spec.rb b/spec/controllers/projects/releases_controller_spec.rb
index c1f1373ddc2..fc7ab88bbe0 100644
--- a/spec/controllers/projects/releases_controller_spec.rb
+++ b/spec/controllers/projects/releases_controller_spec.rb
@@ -9,6 +9,7 @@ RSpec.describe Projects::ReleasesController do
   let_it_be(:private_project) { create(:project, :repository, :private) }
   let_it_be(:developer)  { create(:user) }
   let_it_be(:reporter)   { create(:user) }
+  let_it_be(:guest)      { create(:user) }
   let_it_be(:user)       { developer }
   let!(:release_1)       { create(:release, project: project, released_at: Time.zone.parse('2018-10-18')) }
   let!(:release_2)       { create(:release, project: project, released_at: Time.zone.parse('2019-10-19')) }
@@ -16,6 +17,7 @@ RSpec.describe Projects::ReleasesController do
   before do
     project.add_developer(developer)
     project.add_reporter(reporter)
+    project.add_guest(guest)
   end
 
   shared_examples_for 'successful request' do
@@ -199,6 +201,13 @@ RSpec.describe Projects::ReleasesController do
 
       it_behaves_like 'not found'
     end
+
+    context 'when user is a guest' do
+      let(:project) { private_project }
+      let(:user) { guest }
+
+      it_behaves_like 'not found'
+    end
   end
 
   # `GET #downloads` is addressed in spec/requests/projects/releases_controller_spec.rb
diff --git a/spec/presenters/release_presenter_spec.rb b/spec/presenters/release_presenter_spec.rb
index b518584569b..4bf12183eff 100644
--- a/spec/presenters/release_presenter_spec.rb
+++ b/spec/presenters/release_presenter_spec.rb
@@ -62,6 +62,12 @@ RSpec.describe ReleasePresenter do
     it 'returns its own url' do
       is_expected.to eq(project_release_url(project, release))
     end
+
+    context 'when user is guest' do
+      let(:user) { guest }
+
+      it { is_expected.to be_nil }
+    end
   end
 
   describe '#opened_merge_requests_url' do
diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore
index 259148fa18f..259148fa18f 100755..100644
--- a/vendor/gitignore/C++.gitignore
+++ b/vendor/gitignore/C++.gitignore
diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore
index a1c2a238a96..a1c2a238a96 100755..100644
--- a/vendor/gitignore/Java.gitignore
+++ b/vendor/gitignore/Java.gitignore