gitlab-org--gitlab-foss/changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml
Luke Duncalfe ba377e91e1 Authorize access before serving project template
Previously, if a user was a guest member of a private project, they
could access the merge request template as we were not checking
permission-levels of the user.

When a issue template is asked for, the user must have :read_issue for
the project; or :read_merge_request when a merge request template is
asked for.

We also now rescue_from FileNotFoundError and handle as 404. This is
because RepoTemplateFinder can raise a FileNotFoundError exception,
which Rails previously handled as a 500.

Handling these in a way that is consistent with
ActiveRecord::RecordNotFound exceptions, within controllers that
inherit from Projects::ApplicationController at least, and returning a
404.

https://gitlab.com/gitlab-org/gitlab-ce/issues/54943
2019-06-11 08:21:04 +12:00

5 lines
120 B
YAML

---
title: Prevent the detection of merge request templates by unauthorized users
merge_request:
author:
type: security