diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-06-03 12:34:07 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-06-03 12:34:07 +0000 |
commit | 38e4977dc7931aea13f496cafd3ed7d15d5ec93e (patch) | |
tree | dea9ebb60dbdab61dd5933cc4405353704356306 /lib | |
parent | 5dc6c8f2d08534281b0e1adf404af0e8642eb407 (diff) | |
parent | b70b43d07ec27c6410e4a8d7ad417662a8823f8f (diff) | |
download | gitlab-ce-38e4977dc7931aea13f496cafd3ed7d15d5ec93e.tar.gz |
Merge branch 'security-fix_milestones_search_api_leak' into 'master'
Resolve: Milestones leaked via search API
Closes #2822
See merge request gitlab/gitlabhq!2997
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gitlab/project_search_results.rb | 6 | ||||
-rw-r--r-- | lib/gitlab/search_results.rb | 28 |
2 files changed, 31 insertions, 3 deletions
diff --git a/lib/gitlab/project_search_results.rb b/lib/gitlab/project_search_results.rb index 78337518988..0f3b97e2317 100644 --- a/lib/gitlab/project_search_results.rb +++ b/lib/gitlab/project_search_results.rb @@ -138,6 +138,12 @@ module Gitlab project end + def filter_milestones_by_project(milestones) + return Milestone.none unless Ability.allowed?(@current_user, :read_milestone, @project) + + milestones.where(project_id: project.id) # rubocop: disable CodeReuse/ActiveRecord + end + def repository_project_ref @repository_project_ref ||= repository_ref || project.default_branch end diff --git a/lib/gitlab/search_results.rb b/lib/gitlab/search_results.rb index 4a097a00101..7c1e6b1baff 100644 --- a/lib/gitlab/search_results.rb +++ b/lib/gitlab/search_results.rb @@ -103,9 +103,11 @@ module Gitlab # rubocop: disable CodeReuse/ActiveRecord def milestones - milestones = Milestone.where(project_id: project_ids_relation) - milestones = milestones.search(query) - milestones.reorder('milestones.updated_at DESC') + milestones = Milestone.search(query) + + milestones = filter_milestones_by_project(milestones) + + milestones.reorder('updated_at DESC') end # rubocop: enable CodeReuse/ActiveRecord @@ -123,6 +125,26 @@ module Gitlab 'projects' end + # Filter milestones by authorized projects. + # For performance reasons project_id is being plucked + # to be used on a smaller query. + # + # rubocop: disable CodeReuse/ActiveRecord + def filter_milestones_by_project(milestones) + project_ids = + milestones.where(project_id: project_ids_relation) + .select(:project_id).distinct + .pluck(:project_id) + + return Milestone.none if project_ids.nil? + + authorized_project_ids_relation = + Project.where(id: project_ids).ids_with_milestone_available_for(current_user) + + milestones.where(project_id: authorized_project_ids_relation) + end + # rubocop: enable CodeReuse/ActiveRecord + # rubocop: disable CodeReuse/ActiveRecord def project_ids_relation limit_projects.select(:id).reorder(nil) |