summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--changelogs/unreleased/security-tags-oracle.yml5
-rw-r--r--lib/api/release/links.rb2
-rw-r--r--spec/requests/api/release/links_spec.rb16
3 files changed, 23 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-tags-oracle.yml b/changelogs/unreleased/security-tags-oracle.yml
new file mode 100644
index 00000000000..eb8ad6f646c
--- /dev/null
+++ b/changelogs/unreleased/security-tags-oracle.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent releases links API to leak tag existance
+merge_request:
+author:
+type: security
diff --git a/lib/api/release/links.rb b/lib/api/release/links.rb
index e3072684ef7..5d1b40e3bff 100644
--- a/lib/api/release/links.rb
+++ b/lib/api/release/links.rb
@@ -8,6 +8,8 @@ module API
RELEASE_ENDPOINT_REQUIREMETS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS
.merge(tag_name: API::NO_SLASH_URL_PART_REGEX)
+ before { authorize! :read_release, user_project }
+
params do
requires :id, type: String, desc: 'The ID of a project'
end
diff --git a/spec/requests/api/release/links_spec.rb b/spec/requests/api/release/links_spec.rb
index ba948e37e2f..3a59052bb29 100644
--- a/spec/requests/api/release/links_spec.rb
+++ b/spec/requests/api/release/links_spec.rb
@@ -73,6 +73,22 @@ describe API::Release::Links do
expect(response).to have_gitlab_http_status(:ok)
end
end
+
+ context 'when project is public and the repository is private' do
+ let(:project) { create(:project, :repository, :public, :repository_private) }
+
+ it_behaves_like '403 response' do
+ let(:request) { get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member) }
+ end
+
+ context 'when the release does not exists' do
+ let!(:release) { }
+
+ it_behaves_like '403 response' do
+ let(:request) { get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member) }
+ end
+ end
+ end
end
end