Merge branch 'security-tags-oracle' into 'master'
Prevent Releases links API to leak tag existence Closes #2795 See merge request gitlab/gitlabhq!2893
This commit is contained in:
commit
d8b4e585a1
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Prevent releases links API to leak tag existance
|
||||
merge_request:
|
||||
author:
|
||||
type: security
|
|
@ -8,6 +8,8 @@ module API
|
|||
RELEASE_ENDPOINT_REQUIREMETS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS
|
||||
.merge(tag_name: API::NO_SLASH_URL_PART_REGEX)
|
||||
|
||||
before { authorize! :read_release, user_project }
|
||||
|
||||
params do
|
||||
requires :id, type: String, desc: 'The ID of a project'
|
||||
end
|
||||
|
|
|
@ -73,6 +73,22 @@ describe API::Release::Links do
|
|||
expect(response).to have_gitlab_http_status(:ok)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when project is public and the repository is private' do
|
||||
let(:project) { create(:project, :repository, :public, :repository_private) }
|
||||
|
||||
it_behaves_like '403 response' do
|
||||
let(:request) { get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member) }
|
||||
end
|
||||
|
||||
context 'when the release does not exists' do
|
||||
let!(:release) { }
|
||||
|
||||
it_behaves_like '403 response' do
|
||||
let(:request) { get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member) }
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue