From b6424b378d3fd79a78c597f1c3d630ab2245f460 Mon Sep 17 00:00:00 2001
From: Patrick Derichs <pderichs@gitlab.com>
Date: Tue, 14 May 2019 13:16:30 +0200
Subject: [PATCH] Fix confidential issue label disclosure on milestone view

Add changelog entry

Method should be public

Use milestonish method

Use render data to filter labels

Add specs for label visibility on milestone
---
 app/controllers/concerns/milestone_actions.rb |  8 ++++-
 ...idential-issue-label-visibility-master.yml |  5 +++
 .../projects/milestones_controller_spec.rb    | 34 +++++++++++++++++++
 3 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/unreleased/security-fix-confidential-issue-label-visibility-master.yml

diff --git a/app/controllers/concerns/milestone_actions.rb b/app/controllers/concerns/milestone_actions.rb
index cfff154c3dd..8b8b7db72f8 100644
--- a/app/controllers/concerns/milestone_actions.rb
+++ b/app/controllers/concerns/milestone_actions.rb
@@ -26,16 +26,22 @@ module MilestoneActions
     end
   end
 
+  # rubocop:disable Gitlab/ModuleWithInstanceVariables
   def labels
     respond_to do |format|
       format.html { redirect_to milestone_redirect_path }
       format.json do
+        milestone_labels = @milestone.issue_labels_visible_by_user(current_user)
+
         render json: tabs_json("shared/milestones/_labels_tab", {
-          labels: @milestone.labels.map { |label| label.present(issuable_subject: @milestone.parent) } # rubocop:disable Gitlab/ModuleWithInstanceVariables
+          labels: milestone_labels.map do |label|
+            label.present(issuable_subject: @milestone.parent)
+          end
         })
       end
     end
   end
+  # rubocop:enable Gitlab/ModuleWithInstanceVariables
 
   private
 
diff --git a/changelogs/unreleased/security-fix-confidential-issue-label-visibility-master.yml b/changelogs/unreleased/security-fix-confidential-issue-label-visibility-master.yml
new file mode 100644
index 00000000000..adfd8e1298f
--- /dev/null
+++ b/changelogs/unreleased/security-fix-confidential-issue-label-visibility-master.yml
@@ -0,0 +1,5 @@
+---
+title: Fix confidential issue label disclosure on milestone view
+merge_request:
+author:
+type: security
diff --git a/spec/controllers/projects/milestones_controller_spec.rb b/spec/controllers/projects/milestones_controller_spec.rb
index f8470a94f98..767cee7d54a 100644
--- a/spec/controllers/projects/milestones_controller_spec.rb
+++ b/spec/controllers/projects/milestones_controller_spec.rb
@@ -175,6 +175,40 @@ describe Projects::MilestonesController do
       end
     end
 
+    describe '#labels' do
+      render_views
+
+      context 'as json' do
+        let!(:guest) { create(:user, username: 'guest1') }
+        let!(:group) { create(:group, :public) }
+        let!(:project) { create(:project, :public, group: group) }
+        let!(:label) { create(:label, title: 'test_label_on_private_issue', project: project) }
+        let!(:confidential_issue) { create(:labeled_issue, confidential: true, project: project, milestone: milestone, labels: [label]) }
+
+        it 'does not render labels of private issues if user has no access' do
+          sign_in(guest)
+
+          get :labels, params: { namespace_id: group.id, project_id: project.id, id: milestone.iid }, format: :json
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(response.content_type).to eq 'application/json'
+
+          expect(json_response['html']).not_to include(label.title)
+        end
+
+        it 'does render labels of private issues if user has access' do
+          sign_in(user)
+
+          get :labels, params: { namespace_id: group.id, project_id: project.id, id: milestone.iid }, format: :json
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(response.content_type).to eq 'application/json'
+
+          expect(json_response['html']).to include(label.title)
+        end
+      end
+    end
+
     context 'promotion succeeds' do
       before do
         group.add_developer(user)