Commit 706a2f6f authored by GitLab Bot's avatar GitLab Bot

Add latest changes from gitlab-org/security/gitlab@13-0-stable-ee

parent 7a9b1c4b
...@@ -463,6 +463,7 @@ class ProjectPolicy < BasePolicy ...@@ -463,6 +463,7 @@ class ProjectPolicy < BasePolicy
rule { repository_disabled }.policy do rule { repository_disabled }.policy do
prevent :push_code prevent :push_code
prevent :download_code prevent :download_code
prevent :build_download_code
prevent :fork_project prevent :fork_project
prevent :read_commit_status prevent :read_commit_status
prevent :read_pipeline prevent :read_pipeline
......
---
title: Prevent fetching repository code with unauthorized ci token
merge_request:
author:
type: security
...@@ -5,6 +5,7 @@ require 'spec_helper' ...@@ -5,6 +5,7 @@ require 'spec_helper'
describe ProjectPolicy do describe ProjectPolicy do
include ExternalAuthorizationServiceHelpers include ExternalAuthorizationServiceHelpers
include_context 'ProjectPolicy context' include_context 'ProjectPolicy context'
let_it_be(:other_user) { create(:user) }
let_it_be(:guest) { create(:user) } let_it_be(:guest) { create(:user) }
let_it_be(:reporter) { create(:user) } let_it_be(:reporter) { create(:user) }
let_it_be(:developer) { create(:user) } let_it_be(:developer) { create(:user) }
...@@ -163,7 +164,7 @@ describe ProjectPolicy do ...@@ -163,7 +164,7 @@ describe ProjectPolicy do
subject { described_class.new(owner, project) } subject { described_class.new(owner, project) }
it 'disallows all permissions when the feature is disabled' do it 'disallows all permissions when the feature is disabled' do
project.project_feature.update(merge_requests_access_level: ProjectFeature::DISABLED) project.project_feature.update!(merge_requests_access_level: ProjectFeature::DISABLED)
mr_permissions = [:create_merge_request_from, :read_merge_request, mr_permissions = [:create_merge_request_from, :read_merge_request,
:update_merge_request, :admin_merge_request, :update_merge_request, :admin_merge_request,
...@@ -215,7 +216,7 @@ describe ProjectPolicy do ...@@ -215,7 +216,7 @@ describe ProjectPolicy do
subject { described_class.new(owner, project) } subject { described_class.new(owner, project) }
before do before do
project.project_feature.update(builds_access_level: ProjectFeature::DISABLED) project.project_feature.update!(builds_access_level: ProjectFeature::DISABLED)
end end
context 'without metrics_dashboard_allowed' do context 'without metrics_dashboard_allowed' do
...@@ -260,7 +261,7 @@ describe ProjectPolicy do ...@@ -260,7 +261,7 @@ describe ProjectPolicy do
subject { described_class.new(guest, project) } subject { described_class.new(guest, project) }
before do before do
project.project_feature.update(builds_access_level: ProjectFeature::PRIVATE) project.project_feature.update!(builds_access_level: ProjectFeature::PRIVATE)
end end
it 'disallows pipeline and commit_status permissions' do it 'disallows pipeline and commit_status permissions' do
...@@ -275,10 +276,29 @@ describe ProjectPolicy do ...@@ -275,10 +276,29 @@ describe ProjectPolicy do
end end
context 'repository feature' do context 'repository feature' do
let(:repository_permissions) do
[
:create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline,
:create_build, :read_build, :update_build, :admin_build, :destroy_build,
:create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
:create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
:create_cluster, :read_cluster, :update_cluster, :admin_cluster,
:create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment,
:destroy_release, :download_code, :build_download_code
]
end
context 'when user is a project member' do
subject { described_class.new(owner, project) } subject { described_class.new(owner, project) }
context 'when it is disabled' do
before do before do
project.project_feature.update(repository_access_level: ProjectFeature::DISABLED) project.project_feature.update!(
repository_access_level: ProjectFeature::DISABLED,
merge_requests_access_level: ProjectFeature::DISABLED,
builds_access_level: ProjectFeature::DISABLED,
forking_access_level: ProjectFeature::DISABLED
)
end end
context 'without metrics_dashboard_allowed' do context 'without metrics_dashboard_allowed' do
...@@ -287,16 +307,6 @@ describe ProjectPolicy do ...@@ -287,16 +307,6 @@ describe ProjectPolicy do
end end
it 'disallows all permissions when the feature is disabled' do it 'disallows all permissions when the feature is disabled' do
repository_permissions = [
:create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline,
:create_build, :read_build, :update_build, :admin_build, :destroy_build,
:create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
:create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
:create_cluster, :read_cluster, :update_cluster, :admin_cluster,
:create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment,
:destroy_release
]
expect_disallowed(*repository_permissions) expect_disallowed(*repository_permissions)
end end
end end
...@@ -306,19 +316,30 @@ describe ProjectPolicy do ...@@ -306,19 +316,30 @@ describe ProjectPolicy do
project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED) project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED)
end end
it 'disallows all permissions when the feature is disabled' do it 'disallows all permissions but read_environment when the feature is disabled' do
repository_permissions = [ expect_disallowed(*(repository_permissions - [:read_environment]))
:create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline, expect_allowed(:read_environment)
:create_build, :read_build, :update_build, :admin_build, :destroy_build, end
:create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, end
:create_environment, :update_environment, :admin_environment, :destroy_environment, end
:create_cluster, :read_cluster, :update_cluster, :admin_cluster, end
:create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment,
:destroy_release
]
context 'when user is some other user' do
subject { described_class.new(other_user, project) }
context 'when access level is private' do
before do
project.project_feature.update!(
repository_access_level: ProjectFeature::PRIVATE,
merge_requests_access_level: ProjectFeature::PRIVATE,
builds_access_level: ProjectFeature::PRIVATE,
forking_access_level: ProjectFeature::PRIVATE
)
end
it 'disallows all permissions' do
expect_disallowed(*repository_permissions) expect_disallowed(*repository_permissions)
expect_allowed(:read_environment) end
end end
end end
end end
...@@ -601,7 +622,7 @@ describe ProjectPolicy do ...@@ -601,7 +622,7 @@ describe ProjectPolicy do
context 'feature enabled' do context 'feature enabled' do
before do before do
project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED) project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
end end
context 'with reporter' do context 'with reporter' do
...@@ -665,7 +686,7 @@ describe ProjectPolicy do ...@@ -665,7 +686,7 @@ describe ProjectPolicy do
context 'feature enabled' do context 'feature enabled' do
before do before do
project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED) project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
end end
context 'with reporter' do context 'with reporter' do
...@@ -750,7 +771,7 @@ describe ProjectPolicy do ...@@ -750,7 +771,7 @@ describe ProjectPolicy do
context 'feature disabled' do context 'feature disabled' do
before do before do
project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED) project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::DISABLED)
end end
context 'with reporter' do context 'with reporter' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment