summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSean McGivern <sean@gitlab.com>2017-03-28 11:09:44 +0000
committerDJ Mountney <david@twkie.net>2017-03-29 10:15:19 -0700
commit80c139b14448349c6a483e8c134b46a88865b2a4 (patch)
treeb79c9970334ebf508d165ffb756d2ab74ca6c6e2
parentb3ec0091c33aa0b9a3466f9651693240c857dee6 (diff)
downloadgitlab-ce-80c139b14448349c6a483e8c134b46a88865b2a4.tar.gz
Merge branch 'jej-group-name-disclosure' into 'security'
Prevent private group disclosure via parent_id See merge request !2077
-rw-r--r--app/finders/group_finder.rb17
-rw-r--r--app/services/groups/update_service.rb8
-rw-r--r--app/views/shared/_group_form.html.haml3
-rw-r--r--changelogs/unreleased/jej-group-name-disclosure.yml4
-rw-r--r--spec/features/groups_spec.rb10
-rw-r--r--spec/services/groups/update_service_spec.rb14
6 files changed, 55 insertions, 1 deletions
diff --git a/app/finders/group_finder.rb b/app/finders/group_finder.rb
new file mode 100644
index 00000000000..24c84d2d1aa
--- /dev/null
+++ b/app/finders/group_finder.rb
@@ -0,0 +1,17 @@
+class GroupFinder
+ include Gitlab::Allowable
+
+ def initialize(current_user)
+ @current_user = current_user
+ end
+
+ def execute(*params)
+ group = Group.find_by(*params)
+
+ if can?(@current_user, :read_group, group)
+ group
+ else
+ nil
+ end
+ end
+end
diff --git a/app/services/groups/update_service.rb b/app/services/groups/update_service.rb
index 4e878ec556a..1d65c76d282 100644
--- a/app/services/groups/update_service.rb
+++ b/app/services/groups/update_service.rb
@@ -1,6 +1,8 @@
module Groups
class UpdateService < Groups::BaseService
def execute
+ reject_parent_id!
+
# check that user is allowed to set specified visibility_level
new_visibility = params[:visibility_level]
if new_visibility && new_visibility.to_i != group.visibility_level
@@ -22,5 +24,11 @@ module Groups
false
end
end
+
+ private
+
+ def reject_parent_id!
+ params.except!(:parent_id)
+ end
end
end
diff --git a/app/views/shared/_group_form.html.haml b/app/views/shared/_group_form.html.haml
index c2d9ac87b20..981b4f20ad1 100644
--- a/app/views/shared/_group_form.html.haml
+++ b/app/views/shared/_group_form.html.haml
@@ -1,4 +1,5 @@
-- parent = Group.find_by(id: params[:parent_id] || @group.parent_id)
+- parent = GroupFinder.new(current_user).execute(id: params[:parent_id] || @group.parent_id)
+
- if @group.persisted?
.form-group
= f.label :name, class: 'control-label' do
diff --git a/changelogs/unreleased/jej-group-name-disclosure.yml b/changelogs/unreleased/jej-group-name-disclosure.yml
new file mode 100644
index 00000000000..9b8ab7082ef
--- /dev/null
+++ b/changelogs/unreleased/jej-group-name-disclosure.yml
@@ -0,0 +1,4 @@
+---
+title: Fixed private group name disclosure via new/update forms
+merge_request:
+author:
diff --git a/spec/features/groups_spec.rb b/spec/features/groups_spec.rb
index d243f9478bb..5bfe661c6d1 100644
--- a/spec/features/groups_spec.rb
+++ b/spec/features/groups_spec.rb
@@ -100,6 +100,16 @@ feature 'Group', feature: true do
end
end
+ it 'checks permissions to avoid exposing groups by parent_id' do
+ group = create(:group, :private, path: 'secret-group')
+
+ logout
+ login_as(:user)
+ visit new_group_path(parent_id: group.id)
+
+ expect(page).not_to have_content('secret-group')
+ end
+
describe 'group edit' do
let(:group) { create(:group) }
let(:path) { edit_group_path(group) }
diff --git a/spec/services/groups/update_service_spec.rb b/spec/services/groups/update_service_spec.rb
index 7c0fccb9d41..c88ce38d728 100644
--- a/spec/services/groups/update_service_spec.rb
+++ b/spec/services/groups/update_service_spec.rb
@@ -36,6 +36,20 @@ describe Groups::UpdateService, services: true do
end
end
end
+
+ context "with parent_id user doesn't have permissions for" do
+ let(:service) { described_class.new(public_group, user, parent_id: private_group.id) }
+
+ before do
+ service.execute
+ end
+
+ it 'does not update parent_id' do
+ updated_group = public_group.reload
+
+ expect(updated_group.parent_id).to be_nil
+ end
+ end
end
context "unauthorized visibility_level validation" do