Merge branch 'fix/gh-namespace-issue' into 'security-10-4'

[10.4] Fix GH namespace security issue
author: James Lopez <james@gitlab.com> 2018-01-26 15:39:10 +0000
committer: Robert Speicher <rspeicher@gmail.com> 2018-02-09 12:16:28 -0600
commit: 68e31c098ec3984c42b921c07fec8593116e77ce (patch)
tree: 8d92ef061571749cf46b54d41a70f38c2fcafd49 /app/services
parent: fec9fb05a5775b864ef6768df166d39fcb2be4bc (diff)
download: gitlab-ce-68e31c098ec3984c42b921c07fec8593116e77ce.tar.gz
1 files changed, 7 insertions, 3 deletions
diff --git a/app/services/groups/nested_create_service.rb b/app/services/groups/nested_create_service.rb
index d6f08fc3cce..5c337a9faa5 100644
--- a/app/services/groups/nested_create_service.rb
+++ b/app/services/groups/nested_create_service.rb
@@ -11,8 +11,8 @@ module Groups
     def execute
       return nil unless group_path
 
-      if group = Group.find_by_full_path(group_path)
-        return group
+      if namespace = namespace_or_group(group_path)
+        return namespace
       end
 
       if group_path.include?('/') && !Group.supports_nested_groups?
@@ -40,10 +40,14 @@ module Groups
         )
         new_params[:visibility_level] ||= Gitlab::CurrentSettings.current_application_settings.default_group_visibility
 
-        last_group = Group.find_by_full_path(partial_path) || Groups::CreateService.new(current_user, new_params).execute
+        last_group = namespace_or_group(partial_path) || Groups::CreateService.new(current_user, new_params).execute
       end
 
       last_group
     end
+
+    def namespace_or_group(group_path)
+      Namespace.find_by_full_path(group_path)
+    end
   end
 end
author	James Lopez <james@gitlab.com>	2018-01-26 15:39:10 +0000
committer	Robert Speicher <rspeicher@gmail.com>	2018-02-09 12:16:28 -0600
commit	68e31c098ec3984c42b921c07fec8593116e77ce (patch)
tree	8d92ef061571749cf46b54d41a70f38c2fcafd49 /app/services
parent	fec9fb05a5775b864ef6768df166d39fcb2be4bc (diff)
download	gitlab-ce-68e31c098ec3984c42b921c07fec8593116e77ce.tar.gz