kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Prevent leaking information when issue is moved

Browse source 
Prevent leaking namespace and project names on moved issue links
This commit is contained in:
Felipe Artur 2019-04-08 15:21:21 -03:00
parent b416555411
commit ff06452e05
3 changed files with 27 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/views/projects/issues/show.html.haml
View file

@ -15,7 +15,7 @@
.issuable-status-box.status-box.status-box-issue-closed{ class: issue_button_visibility(@issue, false) } .issuable-status-box.status-box.status-box-issue-closed{ class: issue_button_visibility(@issue, false) }
= sprite_icon('mobile-issue-close', size: 16, css_class: 'd-block d-sm-none') = sprite_icon('mobile-issue-close', size: 16, css_class: 'd-block d-sm-none')
.d-none.d-sm-block .d-none.d-sm-block
- if @issue.moved? - if @issue.moved? && can?(current_user, :read_issue, @issue.moved_to)
- moved_link_start = "<a href=\"#{issue_path(@issue.moved_to)}\" class=\"text-white text-underline\">".html_safe - moved_link_start = "<a href=\"#{issue_path(@issue.moved_to)}\" class=\"text-white text-underline\">".html_safe
- moved_link_end = '</a>'.html_safe - moved_link_end = '</a>'.html_safe
= s_('IssuableStatus|Closed (%{moved_link_start}moved%{moved_link_end})').html_safe % {moved_link_start: moved_link_start, = s_('IssuableStatus|Closed (%{moved_link_start}moved%{moved_link_end})').html_safe % {moved_link_start: moved_link_start,

5
changelogs/unreleased/security-issue_2830.yml Normal file
View file

@ -0,0 +1,5 @@
---
title: 'Resolve: moving an issue to private repo leaks namespace and project name'
merge_request:
author:
type: security

27
spec/views/projects/issues/show.html.haml_spec.rb
View file

@ -19,6 +19,7 @@ describe 'projects/issues/show' do
context 'when the issue is closed' do context 'when the issue is closed' do
before do before do
allow(issue).to receive(:closed?).and_return(true) allow(issue).to receive(:closed?).and_return(true)
allow(view).to receive(:current_user).and_return(user)
end end
context 'when the issue was moved' do context 'when the issue was moved' do
@ -28,16 +29,30 @@ describe 'projects/issues/show' do
issue.moved_to = new_issue issue.moved_to = new_issue
end end
it 'shows "Closed (moved)" if an issue has been moved' do context 'when user can see the moved issue' do
render before do
project.add_developer(user)
end
expect(rendered).to have_selector('.status-box-issue-closed:not(.hidden)', text: 'Closed (moved)') it 'shows "Closed (moved)" if an issue has been moved' do
render
expect(rendered).to have_selector('.status-box-issue-closed:not(.hidden)', text: 'Closed (moved)')
end
it 'links "moved" to the new issue the original issue was moved to' do
render
expect(rendered).to have_selector("a[href=\"#{issue_path(new_issue)}\"]", text: 'moved')
end
end end
it 'links "moved" to the new issue the original issue was moved to' do context 'when user cannot see moved issue' do
render it 'does not show moved issue link' do
render
expect(rendered).to have_selector("a[href=\"#{issue_path(new_issue)}\"]", text: 'moved') expect(rendered).not_to have_selector("a[href=\"#{issue_path(new_issue)}\"]", text: 'moved')
end
end end
end end