summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Speicher <robert@gitlab.com>2016-04-25 21:10:18 +0000
committerRobert Speicher <rspeicher@gmail.com>2016-04-25 17:13:48 -0400
commit9622eec0ad8aea23e780c1a7efa73ff078a482da (patch)
tree36bde6ee584d66a3a378a82ce9a7758a95224e3d
parent55bbc7e3dfc8c1e33fd23da2277890e2546c2f45 (diff)
downloadgitlab-ce-9622eec0ad8aea23e780c1a7efa73ff078a482da.tar.gz
Merge branch '15591-fix-project-leak-in-new-mr-view' into 'master'
Prevent information disclosure via new merge request page Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15591. See merge request !1963
-rw-r--r--app/services/merge_requests/build_service.rb3
-rw-r--r--spec/features/merge_requests/create_new_mr_spec.rb23
2 files changed, 26 insertions, 0 deletions
diff --git a/app/services/merge_requests/build_service.rb b/app/services/merge_requests/build_service.rb
index 6e9152e444e..68916e1f789 100644
--- a/app/services/merge_requests/build_service.rb
+++ b/app/services/merge_requests/build_service.rb
@@ -7,6 +7,9 @@ module MergeRequests
merge_request.can_be_created = false
merge_request.compare_commits = []
merge_request.source_project = project unless merge_request.source_project
+
+ merge_request.target_project = nil unless can?(current_user, :read_project, merge_request.target_project)
+
merge_request.target_project ||= (project.forked_from_project || project)
merge_request.target_branch ||= merge_request.target_project.default_branch
diff --git a/spec/features/merge_requests/create_new_mr_spec.rb b/spec/features/merge_requests/create_new_mr_spec.rb
new file mode 100644
index 00000000000..f2dd2c56d1e
--- /dev/null
+++ b/spec/features/merge_requests/create_new_mr_spec.rb
@@ -0,0 +1,23 @@
+require 'spec_helper'
+
+feature 'Create New Merge Request', feature: true, js: true do
+ let(:user) { create(:user) }
+ let(:project) { create(:project, :public) }
+
+ before do
+ project.team << [user, :master]
+
+ login_as user
+ visit namespace_project_merge_requests_path(project.namespace, project)
+ end
+
+ context 'when target project cannot be viewed by the current user' do
+ it 'does not leak the private project name & namespace' do
+ private_project = create(:project, :private)
+
+ visit new_namespace_project_merge_request_path(project.namespace, project, merge_request: { target_project_id: private_project.id })
+
+ expect(page).not_to have_content private_project.to_reference
+ end
+ end
+end