Commit e0fb6fcf authored by Bob Van Landuyt's avatar Bob Van Landuyt

Don't use fragment cache on commit page

This makes sure the user viewing the commit does not get to see
anything they're not allowed to see
parent b1405787
...@@ -8,19 +8,7 @@ ...@@ -8,19 +8,7 @@
- ref = local_assigns.fetch(:ref) { merge_request&.source_branch } - ref = local_assigns.fetch(:ref) { merge_request&.source_branch }
- link = commit_path(project, commit, merge_request: merge_request) - link = commit_path(project, commit, merge_request: merge_request)
- cache_key = [project.full_path, %li.commit.flex-row.js-toggle-container{ id: "commit-#{commit.short_id}" }
ref,
commit.id,
Gitlab::CurrentSettings.current_application_settings,
@path.presence,
current_controller?(:commits),
merge_request&.iid,
view_details,
commit.status(ref),
I18n.locale].compact
= cache(cache_key, expires_in: 1.day) do
%li.commit.flex-row.js-toggle-container{ id: "commit-#{commit.short_id}" }
.avatar-cell.d-none.d-sm-block .avatar-cell.d-none.d-sm-block
= author_avatar(commit, size: 36, has_tooltip: false) = author_avatar(commit, size: 36, has_tooltip: false)
......
---
title: Don't expose confidential information in commit message list
merge_request:
author:
type: security
...@@ -4,10 +4,9 @@ describe 'User browses commits' do ...@@ -4,10 +4,9 @@ describe 'User browses commits' do
include RepoHelpers include RepoHelpers
let(:user) { create(:user) } let(:user) { create(:user) }
let(:project) { create(:project, :repository, namespace: user.namespace) } let(:project) { create(:project, :public, :repository, namespace: user.namespace) }
before do before do
project.add_maintainer(user)
sign_in(user) sign_in(user)
end end
...@@ -127,6 +126,26 @@ describe 'User browses commits' do ...@@ -127,6 +126,26 @@ describe 'User browses commits' do
.and have_selector('entry summary', text: commit.description[0..10].delete("\r\n")) .and have_selector('entry summary', text: commit.description[0..10].delete("\r\n"))
end end
context 'when a commit links to a confidential issue' do
let(:confidential_issue) { create(:issue, confidential: true, title: 'Secret issue!', project: project) }
before do
project.repository.create_file(user, 'dummy-file', 'dummy content',
branch_name: 'feature',
message: "Linking #{confidential_issue.to_reference}")
end
context 'when the user cannot see confidential issues but was cached with a link', :use_clean_rails_memory_store_fragment_caching do
it 'does not render the confidential issue' do
visit project_commits_path(project, 'feature')
sign_in(create(:user))
visit project_commits_path(project, 'feature')
expect(page).not_to have_link(href: project_issue_path(project, confidential_issue))
end
end
end
context 'master branch' do context 'master branch' do
before do before do
visit_commits_page visit_commits_page
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment