diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-25 12:09:00 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-25 12:09:00 +0000 |
commit | 44612c0c9f0e73c5fb4f700886100b7cdc8f7b10 (patch) | |
tree | 1e978a89fcb2bfca317fc91d4c8d9f080cddce4f /spec/controllers | |
parent | 1581fb4cba8abf4439cea2ca138fd5f9818b0884 (diff) | |
parent | 48ab4c01e69ae7149edcba7a9fda29346b1583e2 (diff) | |
download | gitlab-ce-44612c0c9f0e73c5fb4f700886100b7cdc8f7b10.tar.gz |
Merge branch 'security-id-fix-disclosure-of-private-repo-names-12-4' into '12-4-stable'
Return 404 on LFS request if project doesn't exist
See merge request gitlab/gitlabhq!3506
Diffstat (limited to 'spec/controllers')
-rw-r--r-- | spec/controllers/concerns/lfs_request_spec.rb | 43 |
1 files changed, 42 insertions, 1 deletions
diff --git a/spec/controllers/concerns/lfs_request_spec.rb b/spec/controllers/concerns/lfs_request_spec.rb index cb8c0b8f71c..823b9a50434 100644 --- a/spec/controllers/concerns/lfs_request_spec.rb +++ b/spec/controllers/concerns/lfs_request_spec.rb @@ -16,13 +16,17 @@ describe LfsRequest do end def project - @project ||= Project.find(params[:id]) + @project ||= Project.find_by(id: params[:id]) end def download_request? true end + def upload_request? + false + end + def ci? false end @@ -49,4 +53,41 @@ describe LfsRequest do expect(assigns(:storage_project)).to eq(project) end end + + context 'user is authenticated without access to lfs' do + before do + allow(controller).to receive(:authenticate_user) + allow(controller).to receive(:authentication_result) do + Gitlab::Auth::Result.new + end + end + + context 'with access to the project' do + it 'returns 403' do + get :show, params: { id: project.id } + + expect(response.status).to eq(403) + end + end + + context 'without access to the project' do + context 'project does not exist' do + it 'returns 404' do + get :show, params: { id: 'does not exist' } + + expect(response.status).to eq(404) + end + end + + context 'project is private' do + let(:project) { create(:project, :private) } + + it 'returns 404' do + get :show, params: { id: project.id } + + expect(response.status).to eq(404) + end + end + end + end end |