From ed98b14d6293807e32a708faa5e33d2b5bb35282 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Mon, 27 Apr 2020 14:36:12 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee --- app/helpers/projects_helper.rb | 1 + changelogs/unreleased/bug-codeowner-diffs.yml | 5 +++++ .../unreleased/security-branch-permissions.yml | 5 +++++ spec/helpers/application_helper_spec.rb | 23 +++++++++++++++++----- vendor/gitignore/C++.gitignore | 0 vendor/gitignore/Java.gitignore | 0 6 files changed, 29 insertions(+), 5 deletions(-) create mode 100644 changelogs/unreleased/bug-codeowner-diffs.yml create mode 100644 changelogs/unreleased/security-branch-permissions.yml mode change 100755 => 100644 vendor/gitignore/C++.gitignore mode change 100755 => 100644 vendor/gitignore/Java.gitignore diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb index 3d5f22faf68..8bec7599158 100644 --- a/app/helpers/projects_helper.rb +++ b/app/helpers/projects_helper.rb @@ -624,6 +624,7 @@ module ProjectsHelper def find_file_path return unless @project && !@project.empty_repo? + return unless can?(current_user, :download_code, @project) ref = @ref || @project.repository.root_ref diff --git a/changelogs/unreleased/bug-codeowner-diffs.yml b/changelogs/unreleased/bug-codeowner-diffs.yml new file mode 100644 index 00000000000..996628240ab --- /dev/null +++ b/changelogs/unreleased/bug-codeowner-diffs.yml @@ -0,0 +1,5 @@ +--- +title: Ensure MR diff exists before codeowner check +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-branch-permissions.yml b/changelogs/unreleased/security-branch-permissions.yml new file mode 100644 index 00000000000..6b8abe3eda6 --- /dev/null +++ b/changelogs/unreleased/security-branch-permissions.yml @@ -0,0 +1,5 @@ +--- +title: Prevent unauthorized access to default branch +merge_request: +author: +type: security diff --git a/spec/helpers/application_helper_spec.rb b/spec/helpers/application_helper_spec.rb index a67475e47a3..a96046735c8 100644 --- a/spec/helpers/application_helper_spec.rb +++ b/spec/helpers/application_helper_spec.rb @@ -277,11 +277,16 @@ describe ApplicationHelper do end context 'when @project is set' do - it 'includes all possible body data elements and associates the project elements with project' do - project = create(:project) + let_it_be(:project) { create(:project, :repository) } + let_it_be(:user) { create(:user) } + before do assign(:project, project) + allow(helper).to receive(:current_user).and_return(nil) + end + it 'includes all possible body data elements and associates the project elements with project' do + expect(helper).to receive(:can?).with(nil, :download_code, project) expect(helper.body_data).to eq( { page: 'application', @@ -302,12 +307,11 @@ describe ApplicationHelper do context 'when params[:id] is present and the issue exsits and action_name is show' do it 'sets all project and id elements correctly related to the issue' do - issue = create(:issue) + issue = create(:issue, project: project) stub_controller_method(:action_name, 'show') stub_controller_method(:params, { id: issue.id }) - assign(:project, issue.project) - + expect(helper).to receive(:can?).with(nil, :download_code, project).and_return(false) expect(helper.body_data).to eq( { page: 'projects:issues:show', @@ -322,6 +326,15 @@ describe ApplicationHelper do end end end + + context 'when current_user has download_code permission' do + it 'returns find_file with the default branch' do + allow(helper).to receive(:current_user).and_return(user) + + expect(helper).to receive(:can?).with(user, :download_code, project).and_return(true) + expect(helper.body_data[:find_file]).to end_with(project.default_branch) + end + end end def stub_controller_method(method_name, value) diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore old mode 100755 new mode 100644 diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore old mode 100755 new mode 100644 -- cgit v1.2.1