Merge branch 'security-issue_2830' into 'master'

Prevent leaking information when issue is moved Closes #2830 See merge request gitlab/gitlabhq!3050

Merge branch 'security-issue_2830' into 'master'
Prevent leaking information when issue is moved Closes #2830 See merge request gitlab/gitlabhq!3050
69285c21 · GitLab Release Tools Bot · fee6e478 · ff06452e · 69285c21 · 69285c21
Commit 69285c21 authored Apr 25, 2019 by GitLab Release Tools Bot
3 changed files
--- a/app/views/projects/issues/show.html.haml
+++ b/app/views/projects/issues/show.html.haml
@@ -15,7 +15,7 @@
    .issuable-status-box.status-box.status-box-issue-closed{ class: issue_button_visibility(@issue, false) }
      = sprite_icon('mobile-issue-close', size: 16, css_class: 'd-block d-sm-none')
      .d-none.d-sm-block
-        - if @issue.moved?
+        - if @issue.moved? && can?(current_user, :read_issue, @issue.moved_to)
          - moved_link_start = "<a href=\"#{issue_path(@issue.moved_to)}\" class=\"text-white text-underline\">".html_safe
          - moved_link_end = '</a>'.html_safe
          = s_('IssuableStatus|Closed (%{moved_link_start}moved%{moved_link_end})').html_safe % {moved_link_start: moved_link_start,

--- a/changelogs/unreleased/security-issue_2830.yml
+++ b/changelogs/unreleased/security-issue_2830.yml
+---
+title: 'Resolve: moving an issue to private repo leaks namespace and project name'
+merge_request:
+author:
+type: security
--- a/spec/views/projects/issues/show.html.haml_spec.rb
+++ b/spec/views/projects/issues/show.html.haml_spec.rb
@@ -19,6 +19,7 @@ describe 'projects/issues/show' do
  context 'when the issue is closed' do
    before do
      allow(issue).to receive(:closed?).and_return(true)
+      allow(view).to receive(:current_user).and_return(user)
    end
    context 'when the issue was moved' do
@@ -28,6 +29,11 @@ describe 'projects/issues/show' do
        issue.moved_to = new_issue
      end
+      context 'when user can see the moved issue' do
+        before do
+          project.add_developer(user)
+        end
        it 'shows "Closed (moved)" if an issue has been moved' do
          render
@@ -41,6 +47,15 @@ describe 'projects/issues/show' do
        end
      end
+      context 'when user cannot see moved issue' do
+        it 'does not show moved issue link' do
+          render
+          expect(rendered).not_to have_selector("a[href=\"#{issue_path(new_issue)}\"]", text: 'moved')
+        end
+      end
+    end
    it 'shows "Closed" if an issue has not been moved' do
      render