diff options
| author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-04-25 10:38:42 +0000 |
|---|---|---|
| committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-04-25 10:38:42 +0000 |
| commit | f80f957f8778fa65f986d51076fc1038e19d733f (patch) | |
| tree | 95ef4ec1e0d948710c2dc7756f67c8263778f209 | |
| parent | 2243634b5d586c84e85853a7668ea69100c98010 (diff) | |
| parent | d73a078409c8fc9d525085c10d03edd3dbbcc084 (diff) | |
| download | gitlab-ce-f80f957f8778fa65f986d51076fc1038e19d733f.tar.gz | |
Merge branch 'security-issue_2830-11-9' into '11-9-stable'
Prevent leaking information when issue is moved
See merge request gitlab/gitlabhq!3073
| -rw-r--r-- | app/views/projects/issues/show.html.haml | 2 | ||||
| -rw-r--r-- | changelogs/unreleased/security-issue_2830.yml | 5 | ||||
| -rw-r--r-- | spec/views/projects/issues/show.html.haml_spec.rb | 27 |
3 files changed, 27 insertions, 7 deletions
diff --git a/app/views/projects/issues/show.html.haml b/app/views/projects/issues/show.html.haml index 819d3c4ec76..0ac6ba8edb8 100644 --- a/app/views/projects/issues/show.html.haml +++ b/app/views/projects/issues/show.html.haml @@ -15,7 +15,7 @@ .issuable-status-box.status-box.status-box-issue-closed{ class: issue_button_visibility(@issue, false) } = sprite_icon('mobile-issue-close', size: 16, css_class: 'd-block d-sm-none') .d-none.d-sm-block - - if @issue.moved? + - if @issue.moved? && can?(current_user, :read_issue, @issue.moved_to) - moved_link_start = "<a href=\"#{issue_path(@issue.moved_to)}\" class=\"text-white text-underline\">".html_safe - moved_link_end = '</a>'.html_safe = s_('IssuableStatus|Closed (%{moved_link_start}moved%{moved_link_end})').html_safe % {moved_link_start: moved_link_start, diff --git a/changelogs/unreleased/security-issue_2830.yml b/changelogs/unreleased/security-issue_2830.yml new file mode 100644 index 00000000000..244e105f7d4 --- /dev/null +++ b/changelogs/unreleased/security-issue_2830.yml @@ -0,0 +1,5 @@ +--- +title: 'Resolve: moving an issue to private repo leaks namespace and project name' +merge_request: +author: +type: security diff --git a/spec/views/projects/issues/show.html.haml_spec.rb b/spec/views/projects/issues/show.html.haml_spec.rb index 1d9c6d36ad7..1ca9eaf8fdb 100644 --- a/spec/views/projects/issues/show.html.haml_spec.rb +++ b/spec/views/projects/issues/show.html.haml_spec.rb @@ -19,6 +19,7 @@ describe 'projects/issues/show' do context 'when the issue is closed' do before do allow(issue).to receive(:closed?).and_return(true) + allow(view).to receive(:current_user).and_return(user) end context 'when the issue was moved' do @@ -28,16 +29,30 @@ describe 'projects/issues/show' do issue.moved_to = new_issue end - it 'shows "Closed (moved)" if an issue has been moved' do - render + context 'when user can see the moved issue' do + before do + project.add_developer(user) + end - expect(rendered).to have_selector('.status-box-issue-closed:not(.hidden)', text: 'Closed (moved)') + it 'shows "Closed (moved)" if an issue has been moved' do + render + + expect(rendered).to have_selector('.status-box-issue-closed:not(.hidden)', text: 'Closed (moved)') + end + + it 'links "moved" to the new issue the original issue was moved to' do + render + + expect(rendered).to have_selector("a[href=\"#{issue_path(new_issue)}\"]", text: 'moved') + end end - it 'links "moved" to the new issue the original issue was moved to' do - render + context 'when user cannot see moved issue' do + it 'does not show moved issue link' do + render - expect(rendered).to have_selector("a[href=\"#{issue_path(new_issue)}\"]", text: 'moved') + expect(rendered).not_to have_selector("a[href=\"#{issue_path(new_issue)}\"]", text: 'moved') + end end end |