gitlab-org--gitlab-foss/changelogs/unreleased/security-bvl-fix-cross-project-mr-exposure.yml
Bob Van Landuyt 08dbd93bd6 Validate projects in MR build service
This validates the correct abilities for both projects. Only
`read_project` isn't enough:

For the `source_project` we validate `create_merge_request_from` this
also validates that the user has developer access to the project.

For the `target_project` we validate `create_merge_reqeust_in` this
also validates that the user has access to the project's repository.

To avoid generating diffs for unrelated projects we also validate that
the projects are in the same fork network now.
2018-12-14 10:21:09 +01:00

5 lines
132 B
YAML

---
title: Don't expose cross project repositories through diffs when creating merge reqeusts
merge_request:
author:
type: security