diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-03-30 22:41:19 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-03-30 22:41:36 +0000 |
| commit | e552c804c1d5314e8ca9deb0f1a4bb399f5c368c (patch) | |
| tree | a4b6385d4921315d0f88a8c3597beaef7b89421b | |
| parent | f433a38361d190faf131126be1764c4fadda4fc3 (diff) | |
| download | gitlab-ce-e552c804c1d5314e8ca9deb0f1a4bb399f5c368c.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@13-8-stable-ee
| -rw-r--r-- | changelogs/unreleased/security-trigger-system-hook-by-post.yml | 5 | ||||
| -rw-r--r-- | doc/api/system_hooks.md | 4 | ||||
| -rw-r--r-- | lib/api/system_hooks.rb | 2 | ||||
| -rw-r--r-- | spec/requests/api/system_hooks_spec.rb | 10 |
4 files changed, 13 insertions, 8 deletions
diff --git a/changelogs/unreleased/security-trigger-system-hook-by-post.yml b/changelogs/unreleased/security-trigger-system-hook-by-post.yml new file mode 100644 index 00000000000..c86b9bd40f8 --- /dev/null +++ b/changelogs/unreleased/security-trigger-system-hook-by-post.yml @@ -0,0 +1,5 @@ +--- +title: Require POST request to trigger system hooks +merge_request: +author: +type: security diff --git a/doc/api/system_hooks.md b/doc/api/system_hooks.md index 855436864cc..3348157129d 100644 --- a/doc/api/system_hooks.md +++ b/doc/api/system_hooks.md @@ -88,7 +88,7 @@ Example response: ## Test system hook ```plaintext -GET /hooks/:id +POST /hooks/:id ``` | Attribute | Type | Required | Description | @@ -98,7 +98,7 @@ GET /hooks/:id Example request: ```shell -curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/hooks/2" +curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/hooks/1" ``` Example response: diff --git a/lib/api/system_hooks.rb b/lib/api/system_hooks.rb index 42e16d47a0b..fe23a111b7f 100644 --- a/lib/api/system_hooks.rb +++ b/lib/api/system_hooks.rb @@ -47,7 +47,7 @@ module API params do requires :id, type: Integer, desc: 'The ID of the system hook' end - get ":id" do + post ":id" do hook = SystemHook.find(params[:id]) data = { event_name: "project_create", diff --git a/spec/requests/api/system_hooks_spec.rb b/spec/requests/api/system_hooks_spec.rb index 01b46053d52..3cea1af686e 100644 --- a/spec/requests/api/system_hooks_spec.rb +++ b/spec/requests/api/system_hooks_spec.rb @@ -103,15 +103,15 @@ RSpec.describe API::SystemHooks do end end - describe "GET /hooks/:id" do - it "returns hook by id" do - get api("/hooks/#{hook.id}", admin) - expect(response).to have_gitlab_http_status(:ok) + describe 'POST /hooks/:id' do + it "returns and trigger hook by id" do + post api("/hooks/#{hook.id}", admin) + expect(response).to have_gitlab_http_status(:created) expect(json_response['event_name']).to eq('project_create') end it "returns 404 on failure" do - get api("/hooks/404", admin) + post api("/hooks/404", admin) expect(response).to have_gitlab_http_status(:not_found) end end |