From 4daf3dc0dba8be985ee7d7e3e331e0468d5a72ad Mon Sep 17 00:00:00 2001
From: Oswaldo Ferreira <oswaldo@gitlab.com>
Date: Tue, 20 Aug 2019 17:36:57 -0300
Subject: Avoid exposing unaccessible repo data upon GFM processing

When post-processing relative links to absolute links
RelativeLinkFilter didn't take into consideration that
internal repository data could be exposed for users
that do not have repository access to the project.

This commit solves that by checking whether the user
can `download_code` at this repository, avoiding any
processing of this filter if the user can't.

Additionally, if we're processing for a group (
no project was given), we check if the user can
read it in order to expand the href as an extra.
That doesn't seem necessarily a breach now,
but an extra check doesn't hurt as after all
the user needs to be able to `read_group`.
---
 lib/banzai/filter/relative_link_filter.rb | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'lib/banzai')

diff --git a/lib/banzai/filter/relative_link_filter.rb b/lib/banzai/filter/relative_link_filter.rb
index 86f18679496..846a7d46aad 100644
--- a/lib/banzai/filter/relative_link_filter.rb
+++ b/lib/banzai/filter/relative_link_filter.rb
@@ -9,6 +9,7 @@ module Banzai
     # Context options:
     #   :commit
     #   :group
+    #   :current_user
     #   :project
     #   :project_wiki
     #   :ref
@@ -18,6 +19,7 @@ module Banzai
 
       def call
         return doc if context[:system_note]
+        return doc unless visible_to_user?
 
         @uri_types = {}
         clear_memoization(:linkable_files)
@@ -166,6 +168,16 @@ module Banzai
         Gitlab.config.gitlab.relative_url_root.presence || '/'
       end
 
+      def visible_to_user?
+        if project
+          Ability.allowed?(current_user, :download_code, project)
+        elsif group
+          Ability.allowed?(current_user, :read_group, group)
+        else # Objects detached from projects or groups, e.g. Personal Snippets.
+          true
+        end
+      end
+
       def ref
         context[:ref] || project.default_branch
       end
@@ -178,6 +190,10 @@ module Banzai
         context[:project]
       end
 
+      def current_user
+        context[:current_user]
+      end
+
       def repository
         @repository ||= project&.repository
       end
-- 
cgit v1.2.1