diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-11-01 11:56:09 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-11-01 11:56:26 +0000 |
commit | 4bb4e2b08d99cbccda0e3a1f7ae102e5446e5713 (patch) | |
tree | 7b4f118ce300e163656334961c67add3e7cf28b8 | |
parent | 78fdc7be5faab52379fcce7b0da4b1063c259312 (diff) | |
download | gitlab-ce-4bb4e2b08d99cbccda0e3a1f7ae102e5446e5713.tar.gz |
Add latest changes from gitlab-org/security/gitlab@15-4-stable-ee
-rw-r--r-- | app/models/note.rb | 4 | ||||
-rw-r--r-- | config/routes/repository_deprecated.rb | 8 | ||||
-rw-r--r-- | lib/api/award_emoji.rb | 2 | ||||
-rw-r--r-- | spec/models/note_spec.rb | 16 | ||||
-rw-r--r-- | spec/requests/api/award_emoji_spec.rb | 30 | ||||
-rw-r--r-- | spec/routing/project_routing_spec.rb | 5 |
6 files changed, 62 insertions, 3 deletions
diff --git a/app/models/note.rb b/app/models/note.rb index daac489757b..54453b184d5 100644 --- a/app/models/note.rb +++ b/app/models/note.rb @@ -706,6 +706,10 @@ class Note < ApplicationRecord super.sub!('task', 'checklist item') end + def issuable_ability_name + confidential? ? :read_confidential_notes : :read_note + end + private def system_note_viewable_by?(user) diff --git a/config/routes/repository_deprecated.rb b/config/routes/repository_deprecated.rb index e611b4f665b..32682000941 100644 --- a/config/routes/repository_deprecated.rb +++ b/config/routes/repository_deprecated.rb @@ -18,8 +18,12 @@ scope format: false do constraints: { id: Gitlab::PathRegex.git_reference_regex } get '/refs/:id/logs_tree/*path', - to: redirect('%{namespace_id}/%{project_id}/-/refs/%{id}/logs_tree/%{path}'), - constraints: { id: /.*/, path: /[^\0]*/ } + constraints: { id: /.*/, path: /[^\0]*/ }, + to: redirect { |params, _request| + path = params[:path] + path.gsub!('@', '-/') + Addressable::URI.escape("#{params[:namespace_id]}/#{params[:project_id]}/-/refs/#{params[:id]}/logs_tree/#{path}") + } scope constraints: { id: /[^\0]+/ } do # Deprecated. Keep for compatibility. diff --git a/lib/api/award_emoji.rb b/lib/api/award_emoji.rb index fd36b364d56..e419a025508 100644 --- a/lib/api/award_emoji.rb +++ b/lib/api/award_emoji.rb @@ -100,7 +100,7 @@ module API def read_ability(awardable) case awardable when Note - read_ability(awardable.noteable) + awardable.issuable_ability_name when Snippet, ProjectSnippet :read_snippet else diff --git a/spec/models/note_spec.rb b/spec/models/note_spec.rb index 1fce1f97dcb..1ee071f35fa 100644 --- a/spec/models/note_spec.rb +++ b/spec/models/note_spec.rb @@ -1882,4 +1882,20 @@ RSpec.describe Note do end end end + + describe '#issuable_ability_name' do + subject { note.issuable_ability_name } + + context 'when not confidential note' do + let(:note) { build(:note) } + + it { is_expected.to eq :read_note } + end + + context 'when confidential note' do + let(:note) { build(:note, :confidential) } + + it { is_expected.to eq :read_confidential_notes } + end + end end diff --git a/spec/requests/api/award_emoji_spec.rb b/spec/requests/api/award_emoji_spec.rb index 67ddaf2fda5..bb563f93bfe 100644 --- a/spec/requests/api/award_emoji_spec.rb +++ b/spec/requests/api/award_emoji_spec.rb @@ -191,6 +191,36 @@ RSpec.describe API::AwardEmoji do expect(json_response['name']).to eq(rocket.name) end + context 'when a confidential note' do + subject(:perform_request) { get api(request_path, current_user) } + + let_it_be(:group) { create(:group) } + let_it_be(:project) { create(:project, :public, namespace: group) } + let_it_be(:issue) { create(:issue, project: project) } + let_it_be(:note) { create(:note, :confidential, project: project, noteable: issue, author: user) } + + context 'with sufficient persmissions' do + let(:current_user) { user } + + it 'returns an award emoji' do + perform_request + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response['name']).to eq(rocket.name) + end + end + + context 'with insufficient permissions' do + let(:current_user) { nil } + + it 'returns 404' do + perform_request + + expect(response).to have_gitlab_http_status(:not_found) + end + end + end + it_behaves_like 'unauthenticated request to public awardable' it_behaves_like 'request with insufficient permissions', :get end diff --git a/spec/routing/project_routing_spec.rb b/spec/routing/project_routing_spec.rb index 9317a661188..875a54de3d1 100644 --- a/spec/routing/project_routing_spec.rb +++ b/spec/routing/project_routing_spec.rb @@ -189,6 +189,7 @@ RSpec.describe 'project routing' do end it 'to #logs_tree' do + expect(get('/gitlab/gitlabhq/-/refs/stable/logs_tree/..%2F..%2F..%2F..%2F..%2F@example.com/tree/a')).to route_to('projects/refs#logs_tree', namespace_id: 'gitlab', project_id: 'gitlabhq', id: 'stable', path: '../../../../../@example.com/tree/a') expect(get('/gitlab/gitlabhq/-/refs/stable/logs_tree')).to route_to('projects/refs#logs_tree', namespace_id: 'gitlab', project_id: 'gitlabhq', id: 'stable') expect(get('/gitlab/gitlabhq/-/refs/feature%2345/logs_tree')).to route_to('projects/refs#logs_tree', namespace_id: 'gitlab', project_id: 'gitlabhq', id: 'feature#45') expect(get('/gitlab/gitlabhq/-/refs/feature%2B45/logs_tree')).to route_to('projects/refs#logs_tree', namespace_id: 'gitlab', project_id: 'gitlabhq', id: 'feature+45') @@ -214,6 +215,10 @@ RSpec.describe 'project routing' do it_behaves_like 'redirecting a legacy path', '/gitlab/gitlabhq/refs/stable/logs_tree/new%0A%0Aline.txt', '/gitlab/gitlabhq/-/refs/stable/logs_tree/new%0A%0Aline.txt' + + it_behaves_like 'redirecting a legacy path', + '/gitlab/gitlabhq/refs/feature%2345/logs_tree/../../../../../@example.com/tree/a', + '/gitlab/gitlabhq/-/refs/feature#45/logs_tree/../../../../../-/example.com/tree/a' end describe Projects::MergeRequestsController, 'routing' do |