Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
4423f262
Commit
4423f262
authored
Sep 20, 2018
by
Brett Walker
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Filter system notes with public and private cross references
parent
2dbed5d6
Changes
7
Show whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
91 additions
and
33 deletions
+91
-33
app/models/note.rb
app/models/note.rb
+15
-12
app/models/system_note_metadata.rb
app/models/system_note_metadata.rb
+5
-0
ee/app/models/ee/system_note_metadata.rb
ee/app/models/ee/system_note_metadata.rb
+11
-0
ee/changelogs/unreleased/security-fix-leaking-private-project-namespace.yml
...leased/security-fix-leaking-private-project-namespace.yml
+5
-0
lib/banzai/object_renderer.rb
lib/banzai/object_renderer.rb
+1
-0
lib/banzai/redactor.rb
lib/banzai/redactor.rb
+7
-1
spec/models/note_spec.rb
spec/models/note_spec.rb
+47
-20
No files found.
app/models/note.rb
View file @
4423f262
...
@@ -45,10 +45,12 @@ class Note < ActiveRecord::Base
...
@@ -45,10 +45,12 @@ class Note < ActiveRecord::Base
# Banzai::ObjectRenderer.
# Banzai::ObjectRenderer.
attr_accessor
:redacted_note_html
attr_accessor
:redacted_note_html
# An Array containing the number of visible references as generated by
# Number of user visible references as generated by Banzai::ObjectRenderer
# Banzai::ObjectRenderer
attr_accessor
:user_visible_reference_count
attr_accessor
:user_visible_reference_count
# Total of all references as generated by Banzai::ObjectRenderer
attr_accessor
:total_reference_count
# Attribute used to store the attributes that have been changed by quick actions.
# Attribute used to store the attributes that have been changed by quick actions.
attr_accessor
:commands_changes
attr_accessor
:commands_changes
...
@@ -296,15 +298,7 @@ class Note < ActiveRecord::Base
...
@@ -296,15 +298,7 @@ class Note < ActiveRecord::Base
end
end
def
cross_reference_not_visible_for?
(
user
)
def
cross_reference_not_visible_for?
(
user
)
cross_reference?
&&
!
has_referenced_mentionables?
(
user
)
cross_reference?
&&
!
all_referenced_mentionables_allowed?
(
user
)
end
def
has_referenced_mentionables?
(
user
)
if
user_visible_reference_count
.
present?
user_visible_reference_count
>
0
else
referenced_mentionables
(
user
).
any?
end
end
end
def
award_emoji?
def
award_emoji?
...
@@ -474,9 +468,18 @@ class Note < ActiveRecord::Base
...
@@ -474,9 +468,18 @@ class Note < ActiveRecord::Base
self
.
discussion_id
||=
discussion_class
.
discussion_id
(
self
)
self
.
discussion_id
||=
discussion_class
.
discussion_id
(
self
)
end
end
def
all_referenced_mentionables_allowed?
(
user
)
if
user_visible_reference_count
.
present?
&&
total_reference_count
.
present?
# if they are not equal, then there are private/confidential references as well
user_visible_reference_count
>
0
&&
user_visible_reference_count
==
total_reference_count
else
referenced_mentionables
(
user
).
any?
end
end
def
force_cross_reference_regex_check?
def
force_cross_reference_regex_check?
return
unless
system
?
return
unless
system
?
SystemNoteMetadata
::
TYPES_WITH_CROSS_REFERENCES
.
include?
(
system_note_metadata
&
.
action
)
system_note_metadata
&
.
cross_reference_types
&
.
include?
(
system_note_metadata
&
.
action
)
end
end
end
end
app/models/system_note_metadata.rb
View file @
4423f262
...
@@ -12,6 +12,7 @@ class SystemNoteMetadata < ActiveRecord::Base
...
@@ -12,6 +12,7 @@ class SystemNoteMetadata < ActiveRecord::Base
commit cross_reference
commit cross_reference
close duplicate
close duplicate
relate unrelate
relate unrelate
moved
]
.
freeze
]
.
freeze
ICON_TYPES
=
%w[
ICON_TYPES
=
%w[
...
@@ -29,4 +30,8 @@ class SystemNoteMetadata < ActiveRecord::Base
...
@@ -29,4 +30,8 @@ class SystemNoteMetadata < ActiveRecord::Base
def
icon_types
def
icon_types
ICON_TYPES
ICON_TYPES
end
end
def
cross_reference_types
TYPES_WITH_CROSS_REFERENCES
end
end
end
ee/app/models/ee/system_note_metadata.rb
View file @
4423f262
...
@@ -8,9 +8,20 @@ module EE
...
@@ -8,9 +8,20 @@ module EE
epic_issue_moved issue_changed_epic epic_date_changed
epic_issue_moved issue_changed_epic epic_date_changed
]
.
freeze
]
.
freeze
EE_TYPES_WITH_CROSS_REFERENCES
=
%w[
relate unrelate
epic_issue_added issue_added_to_epic epic_issue_removed issue_removed_from_epic
epic_issue_moved issue_changed_epic
]
.
freeze
override
:icon_types
override
:icon_types
def
icon_types
def
icon_types
@icon_types
||=
(
super
+
EE_ICON_TYPES
).
freeze
@icon_types
||=
(
super
+
EE_ICON_TYPES
).
freeze
end
end
override
:cross_reference_types
def
cross_reference_types
@cross_reference_types
||=
(
super
+
EE_TYPES_WITH_CROSS_REFERENCES
).
freeze
end
end
end
end
end
ee/changelogs/unreleased/security-fix-leaking-private-project-namespace.yml
0 → 100644
View file @
4423f262
---
title
:
Properly filter private references from system notes
merge_request
:
author
:
type
:
security
lib/banzai/object_renderer.rb
View file @
4423f262
...
@@ -38,6 +38,7 @@ module Banzai
...
@@ -38,6 +38,7 @@ module Banzai
redacted_data
=
redacted
[
index
]
redacted_data
=
redacted
[
index
]
object
.
__send__
(
"redacted_
#{
attribute
}
_html="
,
redacted_data
[
:document
].
to_html
(
save_options
).
html_safe
)
# rubocop:disable GitlabSecurity/PublicSend
object
.
__send__
(
"redacted_
#{
attribute
}
_html="
,
redacted_data
[
:document
].
to_html
(
save_options
).
html_safe
)
# rubocop:disable GitlabSecurity/PublicSend
object
.
user_visible_reference_count
=
redacted_data
[
:visible_reference_count
]
if
object
.
respond_to?
(
:user_visible_reference_count
)
object
.
user_visible_reference_count
=
redacted_data
[
:visible_reference_count
]
if
object
.
respond_to?
(
:user_visible_reference_count
)
object
.
total_reference_count
=
redacted_data
[
:total_reference_count
]
if
object
.
respond_to?
(
:total_reference_count
)
end
end
end
end
...
...
lib/banzai/redactor.rb
View file @
4423f262
...
@@ -37,7 +37,13 @@ module Banzai
...
@@ -37,7 +37,13 @@ module Banzai
all_document_nodes
.
each
do
|
entry
|
all_document_nodes
.
each
do
|
entry
|
nodes_for_document
=
entry
[
:nodes
]
nodes_for_document
=
entry
[
:nodes
]
doc_data
=
{
document:
entry
[
:document
],
visible_reference_count:
nodes_for_document
.
count
}
doc_data
=
{
document:
entry
[
:document
],
total_reference_count:
nodes_for_document
.
count
,
visible_reference_count:
nodes_for_document
.
count
}
metadata
<<
doc_data
metadata
<<
doc_data
nodes_for_document
.
each
do
|
node
|
nodes_for_document
.
each
do
|
node
|
...
...
spec/models/note_spec.rb
View file @
4423f262
...
@@ -231,13 +231,7 @@ describe Note do
...
@@ -231,13 +231,7 @@ describe Note do
let
(
:ext_proj
)
{
create
(
:project
,
:public
)
}
let
(
:ext_proj
)
{
create
(
:project
,
:public
)
}
let
(
:ext_issue
)
{
create
(
:issue
,
project:
ext_proj
)
}
let
(
:ext_issue
)
{
create
(
:issue
,
project:
ext_proj
)
}
let
(
:note
)
do
shared_examples
"checks references"
do
create
:note
,
noteable:
ext_issue
,
project:
ext_proj
,
note:
"mentioned in issue
#{
private_issue
.
to_reference
(
ext_proj
)
}
"
,
system:
true
end
it
"returns true"
do
it
"returns true"
do
expect
(
note
.
cross_reference_not_visible_for?
(
ext_issue
.
author
)).
to
be_truthy
expect
(
note
.
cross_reference_not_visible_for?
(
ext_issue
.
author
)).
to
be_truthy
end
end
...
@@ -248,6 +242,7 @@ describe Note do
...
@@ -248,6 +242,7 @@ describe Note do
it
"returns false if user visible reference count set"
do
it
"returns false if user visible reference count set"
do
note
.
user_visible_reference_count
=
1
note
.
user_visible_reference_count
=
1
note
.
total_reference_count
=
1
expect
(
note
).
not_to
receive
(
:reference_mentionables
)
expect
(
note
).
not_to
receive
(
:reference_mentionables
)
expect
(
note
.
cross_reference_not_visible_for?
(
ext_issue
.
author
)).
to
be_falsy
expect
(
note
.
cross_reference_not_visible_for?
(
ext_issue
.
author
)).
to
be_falsy
...
@@ -261,6 +256,38 @@ describe Note do
...
@@ -261,6 +256,38 @@ describe Note do
end
end
end
end
context
"when there is one reference in note"
do
let
(
:note
)
do
create
:note
,
noteable:
ext_issue
,
project:
ext_proj
,
note:
"mentioned in issue
#{
private_issue
.
to_reference
(
ext_proj
)
}
"
,
system:
true
end
it_behaves_like
"checks references"
end
context
"when there are two references in note"
do
let
(
:note
)
do
create
:note
,
noteable:
ext_issue
,
project:
ext_proj
,
note:
"mentioned in issue
#{
private_issue
.
to_reference
(
ext_proj
)
}
and "
\
"public issue
#{
ext_issue
.
to_reference
(
ext_proj
)
}
"
,
system:
true
end
it_behaves_like
"checks references"
it
"returns true if user visible reference count set and there is a private reference"
do
note
.
user_visible_reference_count
=
1
note
.
total_reference_count
=
2
expect
(
note
).
not_to
receive
(
:reference_mentionables
)
expect
(
note
.
cross_reference_not_visible_for?
(
ext_issue
.
author
)).
to
be_truthy
end
end
end
describe
'#cross_reference?'
do
describe
'#cross_reference?'
do
it
'falsey for user-generated notes'
do
it
'falsey for user-generated notes'
do
note
=
create
(
:note
,
system:
false
)
note
=
create
(
:note
,
system:
false
)
...
@@ -269,7 +296,7 @@ describe Note do
...
@@ -269,7 +296,7 @@ describe Note do
end
end
context
'when the note might contain cross references'
do
context
'when the note might contain cross references'
do
SystemNoteMetadata
::
TYPES_WITH_CROSS_REFERENCES
.
each
do
|
type
|
SystemNoteMetadata
.
new
.
cross_reference_types
.
each
do
|
type
|
let
(
:note
)
{
create
(
:note
,
:system
)
}
let
(
:note
)
{
create
(
:note
,
:system
)
}
let!
(
:metadata
)
{
create
(
:system_note_metadata
,
note:
note
,
action:
type
)
}
let!
(
:metadata
)
{
create
(
:system_note_metadata
,
note:
note
,
action:
type
)
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment