Prevent leaking information when issue is moved

Prevent leaking namespace and project names on moved issue links
This commit is contained in:
Felipe Artur 2019-04-08 15:21:21 -03:00
parent b416555411
commit ff06452e05
3 changed files with 27 additions and 7 deletions

View file

@ -15,7 +15,7 @@
.issuable-status-box.status-box.status-box-issue-closed{ class: issue_button_visibility(@issue, false) }
= sprite_icon('mobile-issue-close', size: 16, css_class: 'd-block d-sm-none')
.d-none.d-sm-block
- if @issue.moved?
- if @issue.moved? && can?(current_user, :read_issue, @issue.moved_to)
- moved_link_start = "<a href=\"#{issue_path(@issue.moved_to)}\" class=\"text-white text-underline\">".html_safe
- moved_link_end = '</a>'.html_safe
= s_('IssuableStatus|Closed (%{moved_link_start}moved%{moved_link_end})').html_safe % {moved_link_start: moved_link_start,

View file

@ -0,0 +1,5 @@
---
title: 'Resolve: moving an issue to private repo leaks namespace and project name'
merge_request:
author:
type: security

View file

@ -19,6 +19,7 @@ describe 'projects/issues/show' do
context 'when the issue is closed' do
before do
allow(issue).to receive(:closed?).and_return(true)
allow(view).to receive(:current_user).and_return(user)
end
context 'when the issue was moved' do
@ -28,16 +29,30 @@ describe 'projects/issues/show' do
issue.moved_to = new_issue
end
it 'shows "Closed (moved)" if an issue has been moved' do
render
context 'when user can see the moved issue' do
before do
project.add_developer(user)
end
expect(rendered).to have_selector('.status-box-issue-closed:not(.hidden)', text: 'Closed (moved)')
it 'shows "Closed (moved)" if an issue has been moved' do
render
expect(rendered).to have_selector('.status-box-issue-closed:not(.hidden)', text: 'Closed (moved)')
end
it 'links "moved" to the new issue the original issue was moved to' do
render
expect(rendered).to have_selector("a[href=\"#{issue_path(new_issue)}\"]", text: 'moved')
end
end
it 'links "moved" to the new issue the original issue was moved to' do
render
context 'when user cannot see moved issue' do
it 'does not show moved issue link' do
render
expect(rendered).to have_selector("a[href=\"#{issue_path(new_issue)}\"]", text: 'moved')
expect(rendered).not_to have_selector("a[href=\"#{issue_path(new_issue)}\"]", text: 'moved')
end
end
end