Avoid #authenticate_user! in #route_not_found

This method, #route_not_found, is executed as the final fallback for unrecognized routes (as the name might imply.) We want to avoid `#authenticate_user!` when calling `#route_not_found`; `#authenticate_user!` can, depending on the request format, return a 401 instead of redirecting to a login page. This opens a subtle security exploit where anonymous users will receive a 401 response when attempting to access a private repo, while a recognized user will receive a 404, exposing the existence of the private, hidden repo.
author: Kerri Miller <kerrizor@kerrizor.com> 2019-09-23 10:55:32 -0700
committer: Kerri Miller <kerrizor@kerrizor.com> 2019-10-09 10:47:45 -0700
commit: 8395032721f6d6cb26126a5bffcb42984a240c07 (patch)
tree: 875e37b4b88a3e207bd3f5a5a73cf78ce51b1daf /spec/controllers/projects
parent: 7e2b1008547d8ced97a30e96ac6fbc2b7ad32a7f (diff)
download: gitlab-ce-8395032721f6d6cb26126a5bffcb42984a240c07.tar.gz
4 files changed, 6 insertions, 6 deletions
diff --git a/spec/controllers/projects/commits_controller_spec.rb b/spec/controllers/projects/commits_controller_spec.rb
index 9c4d6fdcb2a..1977e92e42b 100644
--- a/spec/controllers/projects/commits_controller_spec.rb
+++ b/spec/controllers/projects/commits_controller_spec.rb
@@ -142,7 +142,7 @@ describe Projects::CommitsController do
 
   context 'token authentication' do
     context 'public project' do
-      it_behaves_like 'authenticates sessionless user', :show, :atom, public: true do
+      it_behaves_like 'authenticates sessionless user', :show, :atom, { public: true, ignore_incrementing: true } do
         before do
           public_project = create(:project, :repository, :public)
 
@@ -152,7 +152,7 @@ describe Projects::CommitsController do
     end
 
     context 'private project' do
-      it_behaves_like 'authenticates sessionless user', :show, :atom, public: false do
+      it_behaves_like 'authenticates sessionless user', :show, :atom, { public: false, ignore_incrementing: true } do
         before do
           private_project = create(:project, :repository, :private)
           private_project.add_maintainer(user)
diff --git a/spec/controllers/projects/error_tracking_controller_spec.rb b/spec/controllers/projects/error_tracking_controller_spec.rb
index 4c224e960a6..31868f5f717 100644
--- a/spec/controllers/projects/error_tracking_controller_spec.rb
+++ b/spec/controllers/projects/error_tracking_controller_spec.rb
@@ -146,7 +146,7 @@ describe Projects::ErrorTrackingController do
       it 'redirects to sign-in page' do
         post :list_projects, params: list_projects_params
 
-        expect(response).to have_gitlab_http_status(:unauthorized)
+        expect(response).to have_gitlab_http_status(:redirect)
       end
     end
 
diff --git a/spec/controllers/projects/issues_controller_spec.rb b/spec/controllers/projects/issues_controller_spec.rb
index 2edc0aa5536..2e41fa1df8c 100644
--- a/spec/controllers/projects/issues_controller_spec.rb
+++ b/spec/controllers/projects/issues_controller_spec.rb
@@ -1440,7 +1440,7 @@ describe Projects::IssuesController do
   context 'private project with token authentication' do
     let(:private_project) { create(:project, :private) }
 
-    it_behaves_like 'authenticates sessionless user', :index, :atom do
+    it_behaves_like 'authenticates sessionless user', :index, :atom, ignore_incrementing: true do
       before do
         default_params.merge!(project_id: private_project, namespace_id: private_project.namespace)
 
@@ -1448,7 +1448,7 @@ describe Projects::IssuesController do
       end
     end
 
-    it_behaves_like 'authenticates sessionless user', :calendar, :ics do
+    it_behaves_like 'authenticates sessionless user', :calendar, :ics, ignore_incrementing: true do
       before do
         default_params.merge!(project_id: private_project, namespace_id: private_project.namespace)
 
diff --git a/spec/controllers/projects/tags_controller_spec.rb b/spec/controllers/projects/tags_controller_spec.rb
index b99b5d611fc..f077b4c99fc 100644
--- a/spec/controllers/projects/tags_controller_spec.rb
+++ b/spec/controllers/projects/tags_controller_spec.rb
@@ -41,7 +41,7 @@ describe Projects::TagsController do
   context 'private project with token authentication' do
     let(:private_project) { create(:project, :repository, :private) }
 
-    it_behaves_like 'authenticates sessionless user', :index, :atom do
+    it_behaves_like 'authenticates sessionless user', :index, :atom, ignore_incrementing: true do
       before do
         default_params.merge!(project_id: private_project, namespace_id: private_project.namespace)
author	Kerri Miller <kerrizor@kerrizor.com>	2019-09-23 10:55:32 -0700
committer	Kerri Miller <kerrizor@kerrizor.com>	2019-10-09 10:47:45 -0700
commit	8395032721f6d6cb26126a5bffcb42984a240c07 (patch)
tree	875e37b4b88a3e207bd3f5a5a73cf78ce51b1daf /spec/controllers/projects
parent	7e2b1008547d8ced97a30e96ac6fbc2b7ad32a7f (diff)
download	gitlab-ce-8395032721f6d6cb26126a5bffcb42984a240c07.tar.gz