Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
01e158d0
Commit
01e158d0
authored
Apr 27, 2021
by
GitLab Bot
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add latest changes from gitlab-org/security/gitlab@13-11-stable-ee
parent
ce8500b9
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
49 additions
and
5 deletions
+49
-5
app/services/issues/base_service.rb
app/services/issues/base_service.rb
+3
-1
changelogs/unreleased/security-disallow-changing-timestamps-on-issue-create-update.yml
...y-disallow-changing-timestamps-on-issue-create-update.yml
+5
-0
lib/api/issues.rb
lib/api/issues.rb
+0
-3
spec/requests/api/issues/issues_spec.rb
spec/requests/api/issues/issues_spec.rb
+28
-0
spec/requests/api/issues/post_projects_issues_spec.rb
spec/requests/api/issues/post_projects_issues_spec.rb
+13
-1
No files found.
app/services/issues/base_service.rb
View file @
01e158d0
...
...
@@ -34,7 +34,7 @@ module Issues
private
def
filter_params
(
merge_request
)
def
filter_params
(
issue
)
super
moved_issue
=
params
.
delete
(
:moved_issue
)
...
...
@@ -44,6 +44,8 @@ module Issues
params
.
delete
(
:iid
)
unless
current_user
.
can?
(
:set_issue_iid
,
project
)
params
.
delete
(
:created_at
)
unless
moved_issue
||
current_user
.
can?
(
:set_issue_created_at
,
project
)
params
.
delete
(
:updated_at
)
unless
moved_issue
||
current_user
.
can?
(
:set_issue_updated_at
,
project
)
issue
.
system_note_timestamp
=
params
[
:created_at
]
||
params
[
:updated_at
]
end
def
create_assignee_note
(
issue
,
old_assignees
)
...
...
changelogs/unreleased/security-disallow-changing-timestamps-on-issue-create-update.yml
0 → 100644
View file @
01e158d0
---
title
:
Restrict setting system_note_timestamp to owners
merge_request
:
author
:
type
:
security
lib/api/issues.rb
View file @
01e158d0
...
...
@@ -249,7 +249,6 @@ module API
authorize!
:create_issue
,
user_project
issue_params
=
declared_params
(
include_missing:
false
)
issue_params
[
:system_note_timestamp
]
=
params
[
:created_at
]
issue_params
=
convert_parameters_from_legacy_format
(
issue_params
)
...
...
@@ -293,8 +292,6 @@ module API
issue
=
user_project
.
issues
.
find_by!
(
iid:
params
.
delete
(
:issue_iid
))
authorize!
:update_issue
,
issue
issue
.
system_note_timestamp
=
params
[
:updated_at
]
update_params
=
declared_params
(
include_missing:
false
).
merge
(
request:
request
,
api:
true
)
update_params
=
convert_parameters_from_legacy_format
(
update_params
)
...
...
spec/requests/api/issues/issues_spec.rb
View file @
01e158d0
...
...
@@ -943,6 +943,34 @@ RSpec.describe API::Issues do
it_behaves_like
'issuable update endpoint'
do
let
(
:entity
)
{
issue
}
end
describe
'updated_at param'
do
let
(
:fixed_time
)
{
Time
.
new
(
2001
,
1
,
1
)
}
let
(
:updated_at
)
{
Time
.
new
(
2000
,
1
,
1
)
}
before
do
travel_to
fixed_time
end
it
'allows admins to set the timestamp'
do
put
api
(
"/projects/
#{
project
.
id
}
/issues/
#{
issue
.
iid
}
"
,
admin
),
params:
{
labels:
'label1'
,
updated_at:
updated_at
}
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
Time
.
parse
(
json_response
[
'updated_at'
])).
to
be_like_time
(
updated_at
)
expect
(
ResourceLabelEvent
.
last
.
created_at
).
to
be_like_time
(
updated_at
)
end
it
'does not allow other users to set the timestamp'
do
reporter
=
create
(
:user
)
project
.
add_developer
(
reporter
)
put
api
(
"/projects/
#{
project
.
id
}
/issues/
#{
issue
.
iid
}
"
,
reporter
),
params:
{
labels:
'label1'
,
updated_at:
updated_at
}
expect
(
response
).
to
have_gitlab_http_status
(
:ok
)
expect
(
Time
.
parse
(
json_response
[
'updated_at'
])).
to
be_like_time
(
fixed_time
)
expect
(
ResourceLabelEvent
.
last
.
created_at
).
to
be_like_time
(
fixed_time
)
end
end
end
describe
'DELETE /projects/:id/issues/:issue_iid'
do
...
...
spec/requests/api/issues/post_projects_issues_spec.rb
View file @
01e158d0
...
...
@@ -330,15 +330,21 @@ RSpec.describe API::Issues do
end
context
'setting created_at'
do
let
(
:fixed_time
)
{
Time
.
new
(
2001
,
1
,
1
)
}
let
(
:creation_time
)
{
2
.
weeks
.
ago
}
let
(
:params
)
{
{
title:
'new issue'
,
labels:
'label, label2'
,
created_at:
creation_time
}
}
before
do
travel_to
fixed_time
end
context
'by an admin'
do
it
'sets the creation time on the new issue'
do
post
api
(
"/projects/
#{
project
.
id
}
/issues"
,
admin
),
params:
params
expect
(
response
).
to
have_gitlab_http_status
(
:created
)
expect
(
Time
.
parse
(
json_response
[
'created_at'
])).
to
be_like_time
(
creation_time
)
expect
(
ResourceLabelEvent
.
last
.
created_at
).
to
be_like_time
(
creation_time
)
end
end
...
...
@@ -348,6 +354,7 @@ RSpec.describe API::Issues do
expect
(
response
).
to
have_gitlab_http_status
(
:created
)
expect
(
Time
.
parse
(
json_response
[
'created_at'
])).
to
be_like_time
(
creation_time
)
expect
(
ResourceLabelEvent
.
last
.
created_at
).
to
be_like_time
(
creation_time
)
end
end
...
...
@@ -356,19 +363,24 @@ RSpec.describe API::Issues do
group
=
create
(
:group
)
group_project
=
create
(
:project
,
:public
,
namespace:
group
)
group
.
add_owner
(
user2
)
post
api
(
"/projects/
#{
group_project
.
id
}
/issues"
,
user2
),
params:
params
expect
(
response
).
to
have_gitlab_http_status
(
:created
)
expect
(
Time
.
parse
(
json_response
[
'created_at'
])).
to
be_like_time
(
creation_time
)
expect
(
ResourceLabelEvent
.
last
.
created_at
).
to
be_like_time
(
creation_time
)
end
end
context
'by another user'
do
it
'ignores the given creation time'
do
project
.
add_developer
(
user2
)
post
api
(
"/projects/
#{
project
.
id
}
/issues"
,
user2
),
params:
params
expect
(
response
).
to
have_gitlab_http_status
(
:created
)
expect
(
Time
.
parse
(
json_response
[
'created_at'
])).
not_to
be_like_time
(
creation_time
)
expect
(
Time
.
parse
(
json_response
[
'created_at'
])).
to
be_like_time
(
fixed_time
)
expect
(
ResourceLabelEvent
.
last
.
created_at
).
to
be_like_time
(
fixed_time
)
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment