Fix confidential issue label disclosure on milestone view

Add changelog entry Method should be public Use milestonish method Use render data to filter labels Add specs for label visibility on milestone
2019-05-14 13:16:30 +02:00 · 2019-05-14 13:16:30 +02:00 · b6424b378d
parent b02fca9684
commit b6424b378d
3 changed files with 46 additions and 1 deletions
--- a/app/controllers/concerns/milestone_actions.rb
+++ b/app/controllers/concerns/milestone_actions.rb
@ -26,16 +26,22 @@ module MilestoneActions
    end
  end

+  # rubocop:disable Gitlab/ModuleWithInstanceVariables
  def labels
    respond_to do |format|
      format.html { redirect_to milestone_redirect_path }
      format.json do
+        milestone_labels = @milestone.issue_labels_visible_by_user(current_user)
+
        render json: tabs_json("shared/milestones/_labels_tab", {
-          labels: @milestone.labels.map { |label| label.present(issuable_subject: @milestone.parent) } # rubocop:disable Gitlab/ModuleWithInstanceVariables
+          labels: milestone_labels.map do |label|
+            label.present(issuable_subject: @milestone.parent)
+          end
        })
      end
    end
  end
+  # rubocop:enable Gitlab/ModuleWithInstanceVariables

  private

--- a/changelogs/unreleased/security-fix-confidential-issue-label-visibility-master.yml
+++ b/changelogs/unreleased/security-fix-confidential-issue-label-visibility-master.yml
@ -0,0 +1,5 @@
+---
+title: Fix confidential issue label disclosure on milestone view
+merge_request:
+author:
+type: security
--- a/spec/controllers/projects/milestones_controller_spec.rb
+++ b/spec/controllers/projects/milestones_controller_spec.rb
@ -175,6 +175,40 @@ describe Projects::MilestonesController do
      end
    end

+    describe '#labels' do
+      render_views
+
+      context 'as json' do
+        let!(:guest) { create(:user, username: 'guest1') }
+        let!(:group) { create(:group, :public) }
+        let!(:project) { create(:project, :public, group: group) }
+        let!(:label) { create(:label, title: 'test_label_on_private_issue', project: project) }
+        let!(:confidential_issue) { create(:labeled_issue, confidential: true, project: project, milestone: milestone, labels: [label]) }
+
+        it 'does not render labels of private issues if user has no access' do
+          sign_in(guest)
+
+          get :labels, params: { namespace_id: group.id, project_id: project.id, id: milestone.iid }, format: :json
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(response.content_type).to eq 'application/json'
+
+          expect(json_response['html']).not_to include(label.title)
+        end
+
+        it 'does render labels of private issues if user has access' do
+          sign_in(user)
+
+          get :labels, params: { namespace_id: group.id, project_id: project.id, id: milestone.iid }, format: :json
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(response.content_type).to eq 'application/json'
+
+          expect(json_response['html']).to include(label.title)
+        end
+      end
+    end
+
    context 'promotion succeeds' do
      before do
        group.add_developer(user)