Merge branch 'mc/bug/38984-wildcard-protected-tags' into 'security-10-4'

Fix using wildcards in protected tags to expose protected variables

Merge branch 'mc/bug/38984-wildcard-protected-tags' into 'security-10-4'
Fix using wildcards in protected tags to expose protected variables
02f93da8 · Kamil Trzciński · Robert Speicher · 68e31c09 · 02f93da8 · 02f93da8
Commit 02f93da8 authored Jan 26, 2018 by Kamil Trzciński Committed by Robert Speicher Feb 09, 2018
5 changed files
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -1589,8 +1589,11 @@ class Project < ActiveRecord::Base
  end

  def protected_for?(ref)
-    ProtectedBranch.protected?(self, ref) ||
+    if repository.branch_exists?(ref)
+      ProtectedBranch.protected?(self, ref)
+    elsif repository.tag_exists?(ref)
      ProtectedTag.protected?(self, ref)
+    end
  end

  def deployment_variables

--- a/changelogs/unreleased/mc-bug-38984-wildcard-protected-tags.yml
+++ b/changelogs/unreleased/mc-bug-38984-wildcard-protected-tags.yml
+---
+title: Fix wilcard protected tags protecting all branches
+merge_request:
+author:
+type: security
--- a/spec/models/ci/build_spec.rb
+++ b/spec/models/ci/build_spec.rb
@@ -1590,7 +1590,7 @@ describe Ci::Build do

      context 'when the branch is protected' do
        before do
-          create(:protected_branch, project: build.project, name: build.ref)
+          allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
        end

        it { is_expected.to include(protected_variable) }
@@ -1598,7 +1598,7 @@ describe Ci::Build do

      context 'when the tag is protected' do
        before do
-          create(:protected_tag, project: build.project, name: build.ref)
+          allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
        end

        it { is_expected.to include(protected_variable) }
@@ -1635,7 +1635,7 @@ describe Ci::Build do

      context 'when the branch is protected' do
        before do
-          create(:protected_branch, project: build.project, name: build.ref)
+          allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
        end

        it { is_expected.to include(protected_variable) }
@@ -1643,7 +1643,7 @@ describe Ci::Build do

      context 'when the tag is protected' do
        before do
-          create(:protected_tag, project: build.project, name: build.ref)
+          allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
        end

        it { is_expected.to include(protected_variable) }

--- a/spec/models/group_spec.rb
+++ b/spec/models/group_spec.rb
@@ -549,7 +549,7 @@ describe Group do

    context 'when the ref is a protected branch' do
      before do
-        create(:protected_branch, name: 'ref', project: project)
+        allow(project).to receive(:protected_for?).with('ref').and_return(true)
      end

      it_behaves_like 'ref is protected'
@@ -557,7 +557,7 @@ describe Group do

    context 'when the ref is a protected tag' do
      before do
-        create(:protected_tag, name: 'ref', project: project)
+        allow(project).to receive(:protected_for?).with('ref').and_return(true)
      end

      it_behaves_like 'ref is protected'
@@ -571,6 +571,10 @@ describe Group do
      let(:variable_child_2) { create(:ci_group_variable, group: group_child_2) }
      let(:variable_child_3) { create(:ci_group_variable, group: group_child_3) }

+      before do
+        allow(project).to receive(:protected_for?).with('ref').and_return(true)
+      end
+
      it 'returns all variables belong to the group and parent groups' do
        expected_array1 = [protected_variable, secret_variable]
        expected_array2 = [variable_child, variable_child_2, variable_child_3]

--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -2092,7 +2092,7 @@ describe Project do

    context 'when the ref is a protected branch' do
      before do
-        create(:protected_branch, name: 'ref', project: project)
+        allow(project).to receive(:protected_for?).with('ref').and_return(true)
      end

      it_behaves_like 'ref is protected'
@@ -2100,7 +2100,7 @@ describe Project do

    context 'when the ref is a protected tag' do
      before do
-        create(:protected_tag, name: 'ref', project: project)
+        allow(project).to receive(:protected_for?).with('ref').and_return(true)
      end

      it_behaves_like 'ref is protected'
@@ -2125,6 +2125,8 @@ describe Project do

    context 'when the ref is a protected branch' do
      before do
+        allow(project).to receive(:repository).and_call_original
+        allow(project).to receive_message_chain(:repository, :branch_exists?).and_return(true)
        create(:protected_branch, name: 'ref', project: project)
      end

@@ -2135,6 +2137,8 @@ describe Project do

    context 'when the ref is a protected tag' do
      before do
+        allow(project).to receive_message_chain(:repository, :branch_exists?).and_return(false)
+        allow(project).to receive_message_chain(:repository, :tag_exists?).and_return(true)
        create(:protected_tag, name: 'ref', project: project)
      end