Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Jérome Perrin
gitlab-ce
Commits
9154586c
Commit
9154586c
authored
May 26, 2016
by
Valery Sizov
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Confidential notes data leak
parent
32b9276c
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
40 additions
and
4 deletions
+40
-4
CHANGELOG
CHANGELOG
+1
-0
app/models/note.rb
app/models/note.rb
+19
-3
lib/gitlab/project_search_results.rb
lib/gitlab/project_search_results.rb
+1
-1
spec/models/note_spec.rb
spec/models/note_spec.rb
+19
-0
No files found.
CHANGELOG
View file @
9154586c
...
@@ -17,6 +17,7 @@ v 8.9.0 (unreleased)
...
@@ -17,6 +17,7 @@ v 8.9.0 (unreleased)
v 8.8.3
v 8.8.3
- Fix gitlab importer failing to import new projects due to missing credentials
- Fix gitlab importer failing to import new projects due to missing credentials
- Fix import URL migration not rescuing with the correct Error
- Fix import URL migration not rescuing with the correct Error
- In search results, only show notes on confidential issues that the user has access to
v 8.8.2
v 8.8.2
- Added remove due date button. !4209
- Added remove due date button. !4209
...
...
app/models/note.rb
View file @
9154586c
...
@@ -78,13 +78,29 @@ class Note < ActiveRecord::Base
...
@@ -78,13 +78,29 @@ class Note < ActiveRecord::Base
# This method uses ILIKE on PostgreSQL and LIKE on MySQL.
# This method uses ILIKE on PostgreSQL and LIKE on MySQL.
#
#
# query - The search query as a String.
# query - The search query as a String.
# as_user - Limit results to those viewable by a specific user
#
#
# Returns an ActiveRecord::Relation.
# Returns an ActiveRecord::Relation.
def
search
(
query
)
def
search
(
query
,
as_user:
nil
)
table
=
arel_table
table
=
arel_table
pattern
=
"%
#{
query
}
%"
pattern
=
"%
#{
query
}
%"
found_notes
=
joins
(
'LEFT JOIN issues ON issues.id = noteable_id'
).
where
(
table
[
:note
].
matches
(
pattern
))
where
(
table
[
:note
].
matches
(
pattern
))
if
as_user
found_notes
.
where
(
'
issues.confidential IS NULL
OR issues.confidential IS FALSE
OR (issues.confidential IS TRUE
AND (issues.author_id = :user_id
OR issues.assignee_id = :user_id
OR issues.project_id IN(:project_ids)))'
,
user_id:
as_user
.
id
,
project_ids:
as_user
.
authorized_projects
.
select
(
:id
))
else
found_notes
.
where
(
'issues.confidential IS NULL OR issues.confidential IS FALSE'
)
end
end
end
def
grouped_awards
def
grouped_awards
...
...
lib/gitlab/project_search_results.rb
View file @
9154586c
...
@@ -74,7 +74,7 @@ module Gitlab
...
@@ -74,7 +74,7 @@ module Gitlab
end
end
def
notes
def
notes
project
.
notes
.
user
.
search
(
query
).
order
(
'updated_at DESC'
)
project
.
notes
.
user
.
search
(
query
,
as_user:
@current_user
).
order
(
'updated_at DESC'
)
end
end
def
commits
def
commits
...
...
spec/models/note_spec.rb
View file @
9154586c
...
@@ -111,6 +111,25 @@ describe Note, models: true do
...
@@ -111,6 +111,25 @@ describe Note, models: true do
it
'returns notes with matching content regardless of the casing'
do
it
'returns notes with matching content regardless of the casing'
do
expect
(
described_class
.
search
(
'WOW'
)).
to
eq
([
note
])
expect
(
described_class
.
search
(
'WOW'
)).
to
eq
([
note
])
end
end
context
"confidential issues"
do
let
(
:user
)
{
create
:user
}
let
(
:confidential_issue
)
{
create
(
:issue
,
:confidential
,
author:
user
)
}
let
(
:confidential_note
)
{
create
:note
,
note:
"Random"
,
noteable:
confidential_issue
}
it
"returns notes with matching content if user can see the issue"
do
expect
(
described_class
.
search
(
confidential_note
.
note
,
as_user:
user
)).
to
eq
([
confidential_note
])
end
it
"does not return notes with matching content if user can not see the issue"
do
user
=
create
:user
expect
(
described_class
.
search
(
confidential_note
.
note
,
as_user:
user
)).
to
be_empty
end
it
"does not return notes with matching content for unauthenticated users"
do
expect
(
described_class
.
search
(
confidential_note
.
note
)).
to
be_empty
end
end
end
end
describe
'.grouped_awards'
do
describe
'.grouped_awards'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment