Commit 02f93da8 authored by Kamil Trzciński's avatar Kamil Trzciński Committed by Robert Speicher

Merge branch 'mc/bug/38984-wildcard-protected-tags' into 'security-10-4'

Fix using wildcards in protected tags to expose protected variables
parent 68e31c09
......@@ -1589,9 +1589,12 @@ class Project < ActiveRecord::Base
end
def protected_for?(ref)
ProtectedBranch.protected?(self, ref) ||
if repository.branch_exists?(ref)
ProtectedBranch.protected?(self, ref)
elsif repository.tag_exists?(ref)
ProtectedTag.protected?(self, ref)
end
end
def deployment_variables
return [] unless deployment_platform
......
---
title: Fix wilcard protected tags protecting all branches
merge_request:
author:
type: security
......@@ -1590,7 +1590,7 @@ describe Ci::Build do
context 'when the branch is protected' do
before do
create(:protected_branch, project: build.project, name: build.ref)
allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
end
it { is_expected.to include(protected_variable) }
......@@ -1598,7 +1598,7 @@ describe Ci::Build do
context 'when the tag is protected' do
before do
create(:protected_tag, project: build.project, name: build.ref)
allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
end
it { is_expected.to include(protected_variable) }
......@@ -1635,7 +1635,7 @@ describe Ci::Build do
context 'when the branch is protected' do
before do
create(:protected_branch, project: build.project, name: build.ref)
allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
end
it { is_expected.to include(protected_variable) }
......@@ -1643,7 +1643,7 @@ describe Ci::Build do
context 'when the tag is protected' do
before do
create(:protected_tag, project: build.project, name: build.ref)
allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
end
it { is_expected.to include(protected_variable) }
......
......@@ -549,7 +549,7 @@ describe Group do
context 'when the ref is a protected branch' do
before do
create(:protected_branch, name: 'ref', project: project)
allow(project).to receive(:protected_for?).with('ref').and_return(true)
end
it_behaves_like 'ref is protected'
......@@ -557,7 +557,7 @@ describe Group do
context 'when the ref is a protected tag' do
before do
create(:protected_tag, name: 'ref', project: project)
allow(project).to receive(:protected_for?).with('ref').and_return(true)
end
it_behaves_like 'ref is protected'
......@@ -571,6 +571,10 @@ describe Group do
let(:variable_child_2) { create(:ci_group_variable, group: group_child_2) }
let(:variable_child_3) { create(:ci_group_variable, group: group_child_3) }
before do
allow(project).to receive(:protected_for?).with('ref').and_return(true)
end
it 'returns all variables belong to the group and parent groups' do
expected_array1 = [protected_variable, secret_variable]
expected_array2 = [variable_child, variable_child_2, variable_child_3]
......
......@@ -2092,7 +2092,7 @@ describe Project do
context 'when the ref is a protected branch' do
before do
create(:protected_branch, name: 'ref', project: project)
allow(project).to receive(:protected_for?).with('ref').and_return(true)
end
it_behaves_like 'ref is protected'
......@@ -2100,7 +2100,7 @@ describe Project do
context 'when the ref is a protected tag' do
before do
create(:protected_tag, name: 'ref', project: project)
allow(project).to receive(:protected_for?).with('ref').and_return(true)
end
it_behaves_like 'ref is protected'
......@@ -2125,6 +2125,8 @@ describe Project do
context 'when the ref is a protected branch' do
before do
allow(project).to receive(:repository).and_call_original
allow(project).to receive_message_chain(:repository, :branch_exists?).and_return(true)
create(:protected_branch, name: 'ref', project: project)
end
......@@ -2135,6 +2137,8 @@ describe Project do
context 'when the ref is a protected tag' do
before do
allow(project).to receive_message_chain(:repository, :branch_exists?).and_return(false)
allow(project).to receive_message_chain(:repository, :tag_exists?).and_return(true)
create(:protected_tag, name: 'ref', project: project)
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment