Merge branch 'security-unauthorized-access-schedule-variables-milestone-13-6' into 'master'

Unauthorized user can access pipeline schedule variables See merge request gitlab-org/security/gitlab!1028

Merge branch 'security-unauthorized-access-schedule-variables-milestone-13-6' into 'master'
Unauthorized user can access pipeline schedule variables See merge request gitlab-org/security/gitlab!1028
00d2b5fa · GitLab Release Tools Bot · 2f3f1707 · 9b561836 · 00d2b5fa · 00d2b5fa
Commit 00d2b5fa authored Oct 29, 2020 by GitLab Release Tools Bot
6 changed files
--- a/app/policies/ci/pipeline_schedule_policy.rb
+++ b/app/policies/ci/pipeline_schedule_policy.rb
@@ -17,6 +17,7 @@ module Ci
    rule { can?(:admin_pipeline) | (can?(:update_build) & owner_of_schedule) }.policy do
      enable :update_pipeline_schedule
      enable :admin_pipeline_schedule
+      enable :read_pipeline_schedule_variables
    end
    rule { can?(:admin_pipeline_schedule) & ~owner_of_schedule }.policy do

--- a/changelogs/unreleased/security-unauthorized-access-schedule-variables-milestone-13-6.yml
+++ b/changelogs/unreleased/security-unauthorized-access-schedule-variables-milestone-13-6.yml
+---
+title: Fix unauthorized user is able to access schedule pipeline variables and values
+merge_request:
+author:
+type: security
--- a/lib/api/ci/pipeline_schedules.rb
+++ b/lib/api/ci/pipeline_schedules.rb
@@ -38,7 +38,7 @@ module API
          requires :pipeline_schedule_id, type: Integer, desc: 'The pipeline schedule id'
        end
        get ':id/pipeline_schedules/:pipeline_schedule_id' do
-          present pipeline_schedule, with: Entities::Ci::PipelineScheduleDetails
+          present pipeline_schedule, with: Entities::Ci::PipelineScheduleDetails, user: current_user
        end
        desc 'Create a new pipeline schedule' do

--- a/lib/api/entities/ci/pipeline_schedule_details.rb
+++ b/lib/api/entities/ci/pipeline_schedule_details.rb
@@ -5,7 +5,9 @@ module API
    module Ci
      class PipelineScheduleDetails < PipelineSchedule
        expose :last_pipeline, using: ::API::Entities::Ci::PipelineBasic
-        expose :variables, using: ::API::Entities::Ci::Variable
+        expose :variables,
+          using: ::API::Entities::Ci::Variable,
+          if: ->(schedule, options) { Ability.allowed?(options[:user], :read_pipeline_schedule_variables, schedule) }
      end
    end
  end

--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -137,7 +137,7 @@ RSpec.describe ProjectPolicy do
      it 'disallows all permissions except pipeline when the feature is disabled' do
        builds_permissions = [
          :create_build, :read_build, :update_build, :admin_build, :destroy_build,
-          :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
+          :create_pipeline_schedule, :read_pipeline_schedule_variables, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
          :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
          :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster,
          :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment

--- a/spec/requests/api/ci/pipeline_schedules_spec.rb
+++ b/spec/requests/api/ci/pipeline_schedules_spec.rb
@@ -97,46 +97,112 @@ RSpec.describe API::Ci::PipelineSchedules do
      pipeline_schedule.pipelines << build(:ci_pipeline, project: project)
    end
-    context 'authenticated user with valid permissions' do
+    matcher :return_pipeline_schedule_sucessfully do
-      it 'returns pipeline_schedule details' do
+      match_unless_raises do |reponse|
-        get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", developer)
        expect(response).to have_gitlab_http_status(:ok)
        expect(response).to match_response_schema('pipeline_schedule')
      end
+    end
-      it 'responds with 404 Not Found if requesting non-existing pipeline_schedule' do
+    shared_context 'request with project permissions' do
-        get api("/projects/#{project.id}/pipeline_schedules/-5", developer)
+      context 'authenticated user with project permisions' do
+        before do
+          project.add_maintainer(user)
+        end
-        expect(response).to have_gitlab_http_status(:not_found)
+        it 'returns pipeline_schedule details' do
+          get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user)
+          expect(response).to return_pipeline_schedule_sucessfully
+          expect(json_response).to have_key('variables')
+        end
      end
    end
-    context 'authenticated user with invalid permissions' do
+    shared_examples 'request with schedule ownership' do
-      it 'does not return pipeline_schedules list' do
+      context 'authenticated user with pipeline schedule ownership' do
-        get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user)
+        it 'returns pipeline_schedule details' do
+          get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", developer)
-        expect(response).to have_gitlab_http_status(:not_found)
+          expect(response).to return_pipeline_schedule_sucessfully
+          expect(json_response).to have_key('variables')
+        end
      end
    end
-    context 'authenticated user with insufficient permissions' do
+    shared_examples 'request with unauthenticated user' do
-      before do
+      context 'with unauthenticated user' do
-        project.add_guest(user)
+        it 'does not return pipeline_schedule' do
+          get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}")
+          expect(response).to have_gitlab_http_status(:unauthorized)
+        end
      end
+    end
-      it 'does not return pipeline_schedules list' do
+    shared_examples 'request with non-existing pipeline_schedule' do
-        get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user)
+      it 'responds with 404 Not Found if requesting non-existing pipeline_schedule' do
+        get api("/projects/#{project.id}/pipeline_schedules/-5", developer)
        expect(response).to have_gitlab_http_status(:not_found)
      end
    end
-    context 'unauthenticated user' do
+    context 'with private project' do
-      it 'does not return pipeline_schedules list' do
+      it_behaves_like 'request with schedule ownership'
-        get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}")
+      it_behaves_like 'request with project permissions'
+      it_behaves_like 'request with unauthenticated user'
+      it_behaves_like 'request with non-existing pipeline_schedule'
-        expect(response).to have_gitlab_http_status(:unauthorized)
+      context 'authenticated user with no project permissions' do
+        it 'does not return pipeline_schedule' do
+          get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user)
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+      context 'authenticated user with insufficient project permissions' do
+        before do
+          project.add_guest(user)
+        end
+        it 'does not return pipeline_schedule' do
+          get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user)
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+    end
+    context 'with public project' do
+      let_it_be(:project) { create(:project, :repository, :public, public_builds: false) }
+      it_behaves_like 'request with schedule ownership'
+      it_behaves_like 'request with project permissions'
+      it_behaves_like 'request with unauthenticated user'
+      it_behaves_like 'request with non-existing pipeline_schedule'
+      context 'authenticated user with no project permissions' do
+        it 'returns pipeline_schedule with no variables' do
+          get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user)
+          expect(response).to return_pipeline_schedule_sucessfully
+          expect(json_response).not_to have_key('variables')
+        end
+      end
+      context 'authenticated user with insufficient project permissions' do
+        before do
+          project.add_guest(user)
+        end
+        it 'returns pipeline_schedule with no variables' do
+          get api("/projects/#{project.id}/pipeline_schedules/#{pipeline_schedule.id}", user)
+          expect(response).to return_pipeline_schedule_sucessfully
+          expect(json_response).not_to have_key('variables')
+        end
      end
    end
  end