Merge branch '335077-snippets-can-be-accessed-from-another-project' into 'master'

Prevent project snippets from being accessed from non-canonical URLs See merge request gitlab-org/gitlab!66282

Merge branch '335077-snippets-can-be-accessed-from-another-project' into 'master'
Prevent project snippets from being accessed from non-canonical URLs See merge request gitlab-org/gitlab!66282
711b58c5 · Tetiana Chupryna · 259dfb98 · 2671a975 · 711b58c5 · 711b58c5
Commit 711b58c5 authored Jul 22, 2021 by Tetiana Chupryna
3 changed files
--- a/app/controllers/concerns/find_snippet.rb
+++ b/app/controllers/concerns/find_snippet.rb
@@ -9,7 +9,7 @@ module FindSnippet
  # rubocop:disable CodeReuse/ActiveRecord
  def snippet
    strong_memoize(:snippet) do
-      snippet_klass.inc_relations_for_view.find_by(id: snippet_id)
+      snippet_klass.inc_relations_for_view.find_by(snippet_find_params)
    end
  end
  # rubocop:enable CodeReuse/ActiveRecord
@@ -21,4 +21,8 @@ module FindSnippet
  def snippet_id
    params[:id]
  end
+
+  def snippet_find_params
+    { id: snippet_id }
+  end
 end
--- a/app/controllers/projects/snippets_controller.rb
+++ b/app/controllers/projects/snippets_controller.rb
 # frozen_string_literal: true

 class Projects::SnippetsController < Projects::Snippets::ApplicationController
+  extend ::Gitlab::Utils::Override
  include SnippetsActions
  include ToggleAwardEmoji
  include SpammableActions
@@ -45,4 +46,9 @@ class Projects::SnippetsController < Projects::Snippets::ApplicationController
  def spammable_path
    project_snippet_path(@project, @snippet)
  end
+
+  override :snippet_find_params
+  def snippet_find_params
+    super.merge(project_id: project.id)
+  end
 end
--- a/spec/controllers/projects/snippets_controller_spec.rb
+++ b/spec/controllers/projects/snippets_controller_spec.rb
@@ -181,6 +181,24 @@ RSpec.describe Projects::SnippetsController do
          end
        end
      end
+
+      context 'when the project snippet is public' do
+        let_it_be(:project_snippet_public) { create(:project_snippet, :public, :repository, project: project, author: user) }
+
+        context 'when attempting to access from a different project route' do
+          subject { get action, params: { namespace_id: project.namespace, project_id: 42, id: project_snippet_public.to_param } }
+
+          before do
+            sign_in(user)
+          end
+
+          it 'responds with status 404' do
+            subject
+
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+        end
+      end
    end
  end