diff options
| author | John Jarvis <jarv@gitlab.com> | 2019-01-01 20:38:45 +0000 |
|---|---|---|
| committer | John Jarvis <jarv@gitlab.com> | 2019-01-01 20:38:45 +0000 |
| commit | 3fca973e339e9bbf7a2e993bb36e0d800d4e1041 (patch) | |
| tree | e724d9132931c7bb3016ecf5134d7170bc1a35ae /app/services | |
| parent | 0058c97a1b564b7050e17bbf015ca2482f04657f (diff) | |
| parent | 08dbd93bd6e08bca179567a3c020b8fac5139b49 (diff) | |
| download | gitlab-ce-3fca973e339e9bbf7a2e993bb36e0d800d4e1041.tar.gz | |
Merge branch 'security-bvl-fix-cross-project-mr-exposure' into 'master'
[master] Validate projects in MR build service
See merge request gitlab/gitlabhq!2678
Diffstat (limited to 'app/services')
| -rw-r--r-- | app/services/merge_requests/build_service.rb | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/app/services/merge_requests/build_service.rb b/app/services/merge_requests/build_service.rb index 36767621d74..48419da98ad 100644 --- a/app/services/merge_requests/build_service.rb +++ b/app/services/merge_requests/build_service.rb @@ -18,7 +18,7 @@ module MergeRequests merge_request.source_project = find_source_project merge_request.target_project = find_target_project merge_request.target_branch = find_target_branch - merge_request.can_be_created = branches_valid? + merge_request.can_be_created = projects_and_branches_valid? # compare branches only if branches are valid, otherwise # compare_branches may raise an error @@ -49,15 +49,19 @@ module MergeRequests to: :merge_request def find_source_project - return source_project if source_project.present? && can?(current_user, :read_project, source_project) + return source_project if source_project.present? && can?(current_user, :create_merge_request_from, source_project) project end def find_target_project - return target_project if target_project.present? && can?(current_user, :read_project, target_project) + return target_project if target_project.present? && can?(current_user, :create_merge_request_in, target_project) - project.default_merge_request_target + target_project = project.default_merge_request_target + + return target_project if target_project.present? && can?(current_user, :create_merge_request_in, target_project) + + project end def find_target_branch @@ -72,10 +76,11 @@ module MergeRequests params[:target_branch].present? end - def branches_valid? + def projects_and_branches_valid? + return false if source_project.nil? || target_project.nil? return false unless source_branch_specified? || target_branch_specified? - validate_branches + validate_projects_and_branches errors.blank? end @@ -94,7 +99,12 @@ module MergeRequests end end - def validate_branches + def validate_projects_and_branches + merge_request.validate_target_project + merge_request.validate_fork + + return if errors.any? + add_error('You must select source and target branch') unless branches_present? add_error('You must select different branches') if same_source_and_target? add_error("Source branch \"#{source_branch}\" does not exist") unless source_branch_exists? |