Commit 44612c0c authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-id-fix-disclosure-of-private-repo-names-12-4' into '12-4-stable'

Return 404 on LFS request if project doesn't exist

See merge request gitlab/gitlabhq!3506
parents 1581fb4c 48ab4c01
......@@ -34,6 +34,7 @@ module LfsRequest
end
def lfs_check_access!
return render_lfs_not_found unless project
return if download_request? && lfs_download_access?
return if upload_request? && lfs_upload_access?
......
---
title: Return 404 on LFS request if project doesn't exist
merge_request:
author:
type: security
......@@ -16,13 +16,17 @@ describe LfsRequest do
end
def project
@project ||= Project.find(params[:id])
@project ||= Project.find_by(id: params[:id])
end
def download_request?
true
end
def upload_request?
false
end
def ci?
false
end
......@@ -49,4 +53,41 @@ describe LfsRequest do
expect(assigns(:storage_project)).to eq(project)
end
end
context 'user is authenticated without access to lfs' do
before do
allow(controller).to receive(:authenticate_user)
allow(controller).to receive(:authentication_result) do
Gitlab::Auth::Result.new
end
end
context 'with access to the project' do
it 'returns 403' do
get :show, params: { id: project.id }
expect(response.status).to eq(403)
end
end
context 'without access to the project' do
context 'project does not exist' do
it 'returns 404' do
get :show, params: { id: 'does not exist' }
expect(response.status).to eq(404)
end
end
context 'project is private' do
let(:project) { create(:project, :private) }
it 'returns 404' do
get :show, params: { id: project.id }
expect(response.status).to eq(404)
end
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment