Fix locked file visibility issue for private repositories

Fixes an issue where locked files can be publicly visible to people outside of a project with a private repository.

Fix locked file visibility issue for private repositories
Fixes an issue where locked files can be publicly visible to people outside of a project with a private repository.
301d302c · Luke Duncalfe · e2e15655 · 301d302c · 301d302c · 301d302c
Commit 301d302c authored Jan 17, 2019 by Luke Duncalfe
3 changed files
--- a/ee/app/controllers/projects/path_locks_controller.rb
+++ b/ee/app/controllers/projects/path_locks_controller.rb
@@ -6,6 +6,7 @@ class Projects::PathLocksController < Projects::ApplicationController

  # Authorize
  before_action :require_non_empty_project
+  before_action :authorize_download_code!
  before_action :authorize_push_code!, only: [:toggle]

  before_action :check_license

--- a/ee/changelogs/unreleased/security-fix-locked-files-visibility.yml
+++ b/ee/changelogs/unreleased/security-fix-locked-files-visibility.yml
+---
+title: Fix locked file visibility issue for private repositories
+merge_request:
+author:
+type: security
--- a/ee/spec/requests/projects/path_locks_controller_spec.rb
+++ b/ee/spec/requests/projects/path_locks_controller_spec.rb
 require 'rails_helper'

-describe Projects::PathLocksController, type: :request do
-  let(:project) { create(:project, :repository) }
+describe Projects::PathLocksController, type: :controller do
+  let(:project) { create(:project, :repository, :public) }
  let(:user)    { project.owner }
-  let(:viewer)  { user }
  let(:file_path) { 'files/lfs/lfs_object.iso' }
-  let(:blob_object) { project.repository.blob_at_branch('lfs', file_path) }
-  let!(:lfs_object) { create(:lfs_object, oid: blob_object.lfs_oid) }
-  let!(:lfs_objects_project) { create(:lfs_objects_project, project: project, lfs_object: lfs_object) }

  before do
-    login_as(viewer)
+    sign_in(user)

    allow_any_instance_of(Repository).to receive(:root_ref).and_return('lfs')
  end

+  describe 'GET #index' do
+    it 'displays the lock paths' do
+      get :index, params: { namespace_id: project.namespace, project_id: project }
+
+      expect(response).to have_gitlab_http_status(200)
+    end
+
+    context 'when the user does not have access' do
+      let(:project) { create(:project, :repository, :public, :repository_private) }
+      let(:user) { create(:user) }
+
+      it 'renders a 404' do
+        get :index, params: { namespace_id: project.namespace, project_id: project }
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+  end
+
  describe 'POST #toggle' do
    context 'when LFS is enabled' do
      before do
@@ -110,9 +125,20 @@ describe Projects::PathLocksController, type: :request do
        expect(response).to have_gitlab_http_status(200)
      end
    end
+
+    context 'when the user does not have access' do
+      let(:project) { create(:project, :repository, :public, :repository_private) }
+      let(:user) { create(:user) }
+
+      it 'does not allow access' do
+        toggle_lock(file_path)
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
  end

  def toggle_lock(path)
-    post toggle_project_path_locks_path(project), params: { path: path }
+    post :toggle, params: { namespace_id: project.namespace, project_id: project, path: path }
  end
 end