Merge branch 'security-fix_milestones_search_api_leak' into 'master'

Resolve: Milestones leaked via search API Closes #2822 See merge request gitlab/gitlabhq!2997
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-06-03 12:34:07 +0000
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-06-03 12:34:07 +0000
commit: 38e4977dc7931aea13f496cafd3ed7d15d5ec93e (patch)
tree: dea9ebb60dbdab61dd5933cc4405353704356306 /lib
parent: 5dc6c8f2d08534281b0e1adf404af0e8642eb407 (diff)
parent: b70b43d07ec27c6410e4a8d7ad417662a8823f8f (diff)
download: gitlab-ce-38e4977dc7931aea13f496cafd3ed7d15d5ec93e.tar.gz
2 files changed, 31 insertions, 3 deletions
diff --git a/lib/gitlab/project_search_results.rb b/lib/gitlab/project_search_results.rb
index 78337518988..0f3b97e2317 100644
--- a/lib/gitlab/project_search_results.rb
+++ b/lib/gitlab/project_search_results.rb
@@ -138,6 +138,12 @@ module Gitlab
       project
     end
 
+    def filter_milestones_by_project(milestones)
+      return Milestone.none unless Ability.allowed?(@current_user, :read_milestone, @project)
+
+      milestones.where(project_id: project.id) # rubocop: disable CodeReuse/ActiveRecord
+    end
+
     def repository_project_ref
       @repository_project_ref ||= repository_ref || project.default_branch
     end
diff --git a/lib/gitlab/search_results.rb b/lib/gitlab/search_results.rb
index 4a097a00101..7c1e6b1baff 100644
--- a/lib/gitlab/search_results.rb
+++ b/lib/gitlab/search_results.rb
@@ -103,9 +103,11 @@ module Gitlab
 
     # rubocop: disable CodeReuse/ActiveRecord
     def milestones
-      milestones = Milestone.where(project_id: project_ids_relation)
-      milestones = milestones.search(query)
-      milestones.reorder('milestones.updated_at DESC')
+      milestones = Milestone.search(query)
+
+      milestones = filter_milestones_by_project(milestones)
+
+      milestones.reorder('updated_at DESC')
     end
     # rubocop: enable CodeReuse/ActiveRecord
 
@@ -123,6 +125,26 @@ module Gitlab
       'projects'
     end
 
+    # Filter milestones by authorized projects.
+    # For performance reasons project_id is being plucked
+    # to be used on a smaller query.
+    #
+    # rubocop: disable CodeReuse/ActiveRecord
+    def filter_milestones_by_project(milestones)
+      project_ids =
+        milestones.where(project_id: project_ids_relation)
+          .select(:project_id).distinct
+          .pluck(:project_id)
+
+      return Milestone.none if project_ids.nil?
+
+      authorized_project_ids_relation =
+        Project.where(id: project_ids).ids_with_milestone_available_for(current_user)
+
+      milestones.where(project_id: authorized_project_ids_relation)
+    end
+    # rubocop: enable CodeReuse/ActiveRecord
+
     # rubocop: disable CodeReuse/ActiveRecord
     def project_ids_relation
       limit_projects.select(:id).reorder(nil)
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-06-03 12:34:07 +0000
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-06-03 12:34:07 +0000
commit	38e4977dc7931aea13f496cafd3ed7d15d5ec93e (patch)
tree	dea9ebb60dbdab61dd5933cc4405353704356306 /lib
parent	5dc6c8f2d08534281b0e1adf404af0e8642eb407 (diff)
parent	b70b43d07ec27c6410e4a8d7ad417662a8823f8f (diff)
download	gitlab-ce-38e4977dc7931aea13f496cafd3ed7d15d5ec93e.tar.gz