Prevent Releases links API to leak tag existance
This commit is contained in:
parent
a6794a2736
commit
d5c858cd40
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
title: Prevent releases links API to leak tag existance
|
||||||
|
merge_request:
|
||||||
|
author:
|
||||||
|
type: security
|
|
@ -8,6 +8,8 @@ module API
|
||||||
RELEASE_ENDPOINT_REQUIREMETS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS
|
RELEASE_ENDPOINT_REQUIREMETS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS
|
||||||
.merge(tag_name: API::NO_SLASH_URL_PART_REGEX)
|
.merge(tag_name: API::NO_SLASH_URL_PART_REGEX)
|
||||||
|
|
||||||
|
before { authorize! :read_release, user_project }
|
||||||
|
|
||||||
params do
|
params do
|
||||||
requires :id, type: String, desc: 'The ID of a project'
|
requires :id, type: String, desc: 'The ID of a project'
|
||||||
end
|
end
|
||||||
|
|
|
@ -73,6 +73,22 @@ describe API::Release::Links do
|
||||||
expect(response).to have_gitlab_http_status(:ok)
|
expect(response).to have_gitlab_http_status(:ok)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'when project is public and the repository is private' do
|
||||||
|
let(:project) { create(:project, :repository, :public, :repository_private) }
|
||||||
|
|
||||||
|
it_behaves_like '403 response' do
|
||||||
|
let(:request) { get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member) }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the release does not exists' do
|
||||||
|
let!(:release) { }
|
||||||
|
|
||||||
|
it_behaves_like '403 response' do
|
||||||
|
let(:request) { get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member) }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue