summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--CHANGELOG.md7
-rw-r--r--GITALY_SERVER_VERSION2
-rw-r--r--VERSION2
-rw-r--r--app/policies/project_policy.rb1
-rw-r--r--spec/policies/project_policy_spec.rb103
5 files changed, 72 insertions, 43 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1356338f635..53920c6ecc7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
documentation](doc/development/changelog.md) for instructions on adding your own
entry.
+## 13.0.4 (2020-06-03)
+
+### Security (1 change)
+
+- Prevent fetching repository code with unauthorized ci token.
+
+
## 13.0.3 (2020-05-29)
### Fixed (8 changes, 1 of them is from the community)
diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION
index 2cb4f2f6326..1b8bd35d6e0 100644
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
@@ -1 +1 @@
-13.0.3
+13.0.4
diff --git a/VERSION b/VERSION
index 2cb4f2f6326..1b8bd35d6e0 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-13.0.3
+13.0.4
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index a24c0471d6c..8df4fc5e88c 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -463,6 +463,7 @@ class ProjectPolicy < BasePolicy
rule { repository_disabled }.policy do
prevent :push_code
prevent :download_code
+ prevent :build_download_code
prevent :fork_project
prevent :read_commit_status
prevent :read_pipeline
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 09d54eb9df6..f91d5658626 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -5,6 +5,7 @@ require 'spec_helper'
describe ProjectPolicy do
include ExternalAuthorizationServiceHelpers
include_context 'ProjectPolicy context'
+ let_it_be(:other_user) { create(:user) }
let_it_be(:guest) { create(:user) }
let_it_be(:reporter) { create(:user) }
let_it_be(:developer) { create(:user) }
@@ -163,7 +164,7 @@ describe ProjectPolicy do
subject { described_class.new(owner, project) }
it 'disallows all permissions when the feature is disabled' do
- project.project_feature.update(merge_requests_access_level: ProjectFeature::DISABLED)
+ project.project_feature.update!(merge_requests_access_level: ProjectFeature::DISABLED)
mr_permissions = [:create_merge_request_from, :read_merge_request,
:update_merge_request, :admin_merge_request,
@@ -215,7 +216,7 @@ describe ProjectPolicy do
subject { described_class.new(owner, project) }
before do
- project.project_feature.update(builds_access_level: ProjectFeature::DISABLED)
+ project.project_feature.update!(builds_access_level: ProjectFeature::DISABLED)
end
context 'without metrics_dashboard_allowed' do
@@ -260,7 +261,7 @@ describe ProjectPolicy do
subject { described_class.new(guest, project) }
before do
- project.project_feature.update(builds_access_level: ProjectFeature::PRIVATE)
+ project.project_feature.update!(builds_access_level: ProjectFeature::PRIVATE)
end
it 'disallows pipeline and commit_status permissions' do
@@ -275,50 +276,70 @@ describe ProjectPolicy do
end
context 'repository feature' do
- subject { described_class.new(owner, project) }
+ let(:repository_permissions) do
+ [
+ :create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline,
+ :create_build, :read_build, :update_build, :admin_build, :destroy_build,
+ :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
+ :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
+ :create_cluster, :read_cluster, :update_cluster, :admin_cluster,
+ :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment,
+ :destroy_release, :download_code, :build_download_code
+ ]
+ end
+
+ context 'when user is a project member' do
+ subject { described_class.new(owner, project) }
- before do
- project.project_feature.update(repository_access_level: ProjectFeature::DISABLED)
- end
+ context 'when it is disabled' do
+ before do
+ project.project_feature.update!(
+ repository_access_level: ProjectFeature::DISABLED,
+ merge_requests_access_level: ProjectFeature::DISABLED,
+ builds_access_level: ProjectFeature::DISABLED,
+ forking_access_level: ProjectFeature::DISABLED
+ )
+ end
- context 'without metrics_dashboard_allowed' do
- before do
- project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED)
- end
+ context 'without metrics_dashboard_allowed' do
+ before do
+ project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED)
+ end
- it 'disallows all permissions when the feature is disabled' do
- repository_permissions = [
- :create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline,
- :create_build, :read_build, :update_build, :admin_build, :destroy_build,
- :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
- :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
- :create_cluster, :read_cluster, :update_cluster, :admin_cluster,
- :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment,
- :destroy_release
- ]
+ it 'disallows all permissions when the feature is disabled' do
+ expect_disallowed(*repository_permissions)
+ end
+ end
- expect_disallowed(*repository_permissions)
+ context 'with metrics_dashboard_allowed' do
+ before do
+ project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED)
+ end
+
+ it 'disallows all permissions but read_environment when the feature is disabled' do
+ expect_disallowed(*(repository_permissions - [:read_environment]))
+ expect_allowed(:read_environment)
+ end
+ end
end
end
- context 'with metrics_dashboard_allowed' do
- before do
- project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED)
- end
+ context 'when user is some other user' do
+ subject { described_class.new(other_user, project) }
- it 'disallows all permissions when the feature is disabled' do
- repository_permissions = [
- :create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline,
- :create_build, :read_build, :update_build, :admin_build, :destroy_build,
- :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
- :create_environment, :update_environment, :admin_environment, :destroy_environment,
- :create_cluster, :read_cluster, :update_cluster, :admin_cluster,
- :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment,
- :destroy_release
- ]
+ context 'when access level is private' do
+ before do
+ project.project_feature.update!(
+ repository_access_level: ProjectFeature::PRIVATE,
+ merge_requests_access_level: ProjectFeature::PRIVATE,
+ builds_access_level: ProjectFeature::PRIVATE,
+ forking_access_level: ProjectFeature::PRIVATE
+ )
+ end
- expect_disallowed(*repository_permissions)
- expect_allowed(:read_environment)
+ it 'disallows all permissions' do
+ expect_disallowed(*repository_permissions)
+ end
end
end
end
@@ -601,7 +622,7 @@ describe ProjectPolicy do
context 'feature enabled' do
before do
- project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED)
+ project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
end
context 'with reporter' do
@@ -665,7 +686,7 @@ describe ProjectPolicy do
context 'feature enabled' do
before do
- project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED)
+ project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
end
context 'with reporter' do
@@ -750,7 +771,7 @@ describe ProjectPolicy do
context 'feature disabled' do
before do
- project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED)
+ project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::DISABLED)
end
context 'with reporter' do