diff options
-rw-r--r-- | CHANGELOG | 2 | ||||
-rw-r--r-- | Gemfile.lock | 2 | ||||
-rw-r--r-- | app/controllers/search_controller.rb | 22 |
3 files changed, 20 insertions, 6 deletions
diff --git a/CHANGELOG b/CHANGELOG index 00b3255ce2d..e8f367c332b 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -11,6 +11,8 @@ v 7.10.0 (unreleased) - Fix project import URL regex to prevent arbitary local repos from being imported. - Fix directory traversal vulnerability around uploads routes. - Fix directory traversal vulnerability around help pages. + - Don't leak existence of project via search autocomplete. + - Don't leak existence of group or project via search. - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu) - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu) - Add ability to configure Reply-To address in gitlab.yml (Stan Hu) diff --git a/Gemfile.lock b/Gemfile.lock index 747dbe1b037..dc00acf6292 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -188,7 +188,7 @@ GEM dotenv (>= 0.7) thor (>= 0.13.6) formatador (0.2.4) - gemnasium-gitlab-service (0.2.4) + gemnasium-gitlab-service (0.2.6) rugged (~> 0.21) gemojione (2.0.0) json diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb index a3284c82d3f..c5828d0b2df 100644 --- a/app/controllers/search_controller.rb +++ b/app/controllers/search_controller.rb @@ -3,15 +3,22 @@ class SearchController < ApplicationController def show return if params[:search].nil? || params[:search].blank? - @project = Project.find_by(id: params[:project_id]) if params[:project_id].present? - @group = Group.find_by(id: params[:group_id]) if params[:group_id].present? + + if params[:project_id].present? + @project = Project.find_by(id: params[:project_id]) + @project = nil unless can?(current_user, :download_code, @project) + end + + if params[:group_id].present? + @group = Group.find_by(id: params[:group_id]) + @group = nil unless can?(current_user, :read_group, @group) + end + @scope = params[:scope] @show_snippets = params[:snippets].eql? 'true' @search_results = if @project - return access_denied! unless can?(current_user, :download_code, @project) - unless %w(blobs notes issues merge_requests wiki_blobs). include?(@scope) @scope = 'blobs' @@ -35,7 +42,12 @@ class SearchController < ApplicationController def autocomplete term = params[:term] - @project = Project.find(params[:project_id]) if params[:project_id].present? + + if params[:project_id].present? + @project = Project.find_by(id: params[:project_id]) + @project = nil unless can?(current_user, :read_project, @project) + end + @ref = params[:project_ref] if params[:project_ref].present? render json: search_autocomplete_opts(term).to_json |