Prevent private repo from being accessed via internal API

5956f00b · Thong Kuah · 3934a31b · 5956f00b · 5956f00b · 5956f00b
Commit 5956f00b authored Sep 02, 2020 by Thong Kuah
3 changed files
--- a/changelogs/unreleased/security-kubernetes-agent-internal-api.yml
+++ b/changelogs/unreleased/security-kubernetes-agent-internal-api.yml
+---
+title: Prevent private repo from being accessed via internal Kubernetes API
+merge_request:
+author:
+type: security
--- a/lib/api/internal/kubernetes.rb
+++ b/lib/api/internal/kubernetes.rb
@@ -85,7 +85,7 @@ module API

            # TODO sort out authorization for real
            # https://gitlab.com/gitlab-org/gitlab/-/issues/220912
-            if !project || !project.public?
+            unless Ability.allowed?(nil, :download_code, project)
              not_found!
            end


--- a/spec/requests/api/internal/kubernetes_spec.rb
+++ b/spec/requests/api/internal/kubernetes_spec.rb
@@ -166,6 +166,16 @@ RSpec.describe API::Internal::Kubernetes do
            )
          )
        end
+
+        context 'repository is for project members only' do
+          let(:project) { create(:project, :public, :repository_private) }
+
+          it 'returns 404' do
+            send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
+
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+        end
      end

      context 'project is private' do
@@ -190,7 +200,7 @@ RSpec.describe API::Internal::Kubernetes do

      context 'project does not exist' do
        it 'returns 404' do
-          send_request(params: { id: 0 }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
+          send_request(params: { id: non_existing_record_id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })

          expect(response).to have_gitlab_http_status(:not_found)
        end