Merge branch 'jej-group-name-disclosure' into 'security'
Prevent private group disclosure via parent_id See merge request !2077
This commit is contained in:
parent
60c0c0f3d0
commit
91f43587a8
6 changed files with 54 additions and 1 deletions
17
app/finders/group_finder.rb
Normal file
17
app/finders/group_finder.rb
Normal file
|
@ -0,0 +1,17 @@
|
|||
class GroupFinder
|
||||
include Gitlab::Allowable
|
||||
|
||||
def initialize(current_user)
|
||||
@current_user = current_user
|
||||
end
|
||||
|
||||
def execute(*params)
|
||||
group = Group.find_by(*params)
|
||||
|
||||
if can?(@current_user, :read_group, group)
|
||||
group
|
||||
else
|
||||
nil
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,6 +1,8 @@
|
|||
module Groups
|
||||
class UpdateService < Groups::BaseService
|
||||
def execute
|
||||
reject_parent_id!
|
||||
|
||||
# check that user is allowed to set specified visibility_level
|
||||
new_visibility = params[:visibility_level]
|
||||
if new_visibility && new_visibility.to_i != group.visibility_level
|
||||
|
@ -22,5 +24,11 @@ module Groups
|
|||
false
|
||||
end
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def reject_parent_id!
|
||||
params.except!(:parent_id)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
- parent = Group.find_by(id: params[:parent_id] || @group.parent_id)
|
||||
- parent = GroupFinder.new(current_user).execute(id: params[:parent_id] || @group.parent_id)
|
||||
- group_path = root_url
|
||||
- group_path << parent.full_path + '/' if parent
|
||||
- if @group.persisted?
|
||||
|
|
4
changelogs/unreleased/jej-group-name-disclosure.yml
Normal file
4
changelogs/unreleased/jej-group-name-disclosure.yml
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
title: Fixed private group name disclosure via new/update forms
|
||||
merge_request:
|
||||
author:
|
|
@ -100,6 +100,16 @@ feature 'Group', feature: true do
|
|||
end
|
||||
end
|
||||
|
||||
it 'checks permissions to avoid exposing groups by parent_id' do
|
||||
group = create(:group, :private, path: 'secret-group')
|
||||
|
||||
logout
|
||||
login_as(:user)
|
||||
visit new_group_path(parent_id: group.id)
|
||||
|
||||
expect(page).not_to have_content('secret-group')
|
||||
end
|
||||
|
||||
describe 'group edit' do
|
||||
let(:group) { create(:group) }
|
||||
let(:path) { edit_group_path(group) }
|
||||
|
|
|
@ -36,6 +36,20 @@ describe Groups::UpdateService, services: true do
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
context "with parent_id user doesn't have permissions for" do
|
||||
let(:service) { described_class.new(public_group, user, parent_id: private_group.id) }
|
||||
|
||||
before do
|
||||
service.execute
|
||||
end
|
||||
|
||||
it 'does not update parent_id' do
|
||||
updated_group = public_group.reload
|
||||
|
||||
expect(updated_group.parent_id).to be_nil
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context "unauthorized visibility_level validation" do
|
||||
|
|
Loading…
Reference in a new issue