diff options
-rw-r--r-- | app/controllers/projects/releases_controller.rb | 3 | ||||
-rw-r--r-- | app/presenters/release_presenter.rb | 2 | ||||
-rw-r--r-- | changelogs/unreleased/security-guest-can-read-tag-from-releases.yml | 5 | ||||
-rw-r--r-- | spec/controllers/projects/releases_controller_spec.rb | 9 | ||||
-rw-r--r-- | spec/presenters/release_presenter_spec.rb | 6 | ||||
-rw-r--r--[-rwxr-xr-x] | vendor/gitignore/C++.gitignore | 0 | ||||
-rw-r--r--[-rwxr-xr-x] | vendor/gitignore/Java.gitignore | 0 |
7 files changed, 25 insertions, 0 deletions
diff --git a/app/controllers/projects/releases_controller.rb b/app/controllers/projects/releases_controller.rb index a6e795a2b91..614bada09ed 100644 --- a/app/controllers/projects/releases_controller.rb +++ b/app/controllers/projects/releases_controller.rb @@ -5,6 +5,9 @@ class Projects::ReleasesController < Projects::ApplicationController before_action :require_non_empty_project, except: [:index] before_action :release, only: %i[edit show update downloads] before_action :authorize_read_release! + # We have to check `download_code` permission because detail URL path + # contains git-tag name. + before_action :authorize_download_code!, except: [:index] before_action do push_frontend_feature_flag(:graphql_release_data, project, default_enabled: true) push_frontend_feature_flag(:graphql_milestone_stats, project, default_enabled: true) diff --git a/app/presenters/release_presenter.rb b/app/presenters/release_presenter.rb index b11585d0d1c..aa6429ab012 100644 --- a/app/presenters/release_presenter.rb +++ b/app/presenters/release_presenter.rb @@ -20,6 +20,8 @@ class ReleasePresenter < Gitlab::View::Presenter::Delegated end def self_url + return unless can_download_code? + project_release_url(project, release) end diff --git a/changelogs/unreleased/security-guest-can-read-tag-from-releases.yml b/changelogs/unreleased/security-guest-can-read-tag-from-releases.yml new file mode 100644 index 00000000000..a3b9b21d90a --- /dev/null +++ b/changelogs/unreleased/security-guest-can-read-tag-from-releases.yml @@ -0,0 +1,5 @@ +--- +title: Avoid exposing release links when the user cannot read git-tag/repository +merge_request: +author: +type: security diff --git a/spec/controllers/projects/releases_controller_spec.rb b/spec/controllers/projects/releases_controller_spec.rb index c1f1373ddc2..fc7ab88bbe0 100644 --- a/spec/controllers/projects/releases_controller_spec.rb +++ b/spec/controllers/projects/releases_controller_spec.rb @@ -9,6 +9,7 @@ RSpec.describe Projects::ReleasesController do let_it_be(:private_project) { create(:project, :repository, :private) } let_it_be(:developer) { create(:user) } let_it_be(:reporter) { create(:user) } + let_it_be(:guest) { create(:user) } let_it_be(:user) { developer } let!(:release_1) { create(:release, project: project, released_at: Time.zone.parse('2018-10-18')) } let!(:release_2) { create(:release, project: project, released_at: Time.zone.parse('2019-10-19')) } @@ -16,6 +17,7 @@ RSpec.describe Projects::ReleasesController do before do project.add_developer(developer) project.add_reporter(reporter) + project.add_guest(guest) end shared_examples_for 'successful request' do @@ -199,6 +201,13 @@ RSpec.describe Projects::ReleasesController do it_behaves_like 'not found' end + + context 'when user is a guest' do + let(:project) { private_project } + let(:user) { guest } + + it_behaves_like 'not found' + end end # `GET #downloads` is addressed in spec/requests/projects/releases_controller_spec.rb diff --git a/spec/presenters/release_presenter_spec.rb b/spec/presenters/release_presenter_spec.rb index b518584569b..4bf12183eff 100644 --- a/spec/presenters/release_presenter_spec.rb +++ b/spec/presenters/release_presenter_spec.rb @@ -62,6 +62,12 @@ RSpec.describe ReleasePresenter do it 'returns its own url' do is_expected.to eq(project_release_url(project, release)) end + + context 'when user is guest' do + let(:user) { guest } + + it { is_expected.to be_nil } + end end describe '#opened_merge_requests_url' do diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore index 259148fa18f..259148fa18f 100755..100644 --- a/vendor/gitignore/C++.gitignore +++ b/vendor/gitignore/C++.gitignore diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore index a1c2a238a96..a1c2a238a96 100755..100644 --- a/vendor/gitignore/Java.gitignore +++ b/vendor/gitignore/Java.gitignore |