Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee

c59bc73c · GitLab Bot · 5b4f92ef · c59bc73c · c59bc73c · c59bc73c
Commit c59bc73c authored Jun 29, 2020 by GitLab Bot
10 changed files
--- a/app/controllers/projects/wikis_controller.rb
+++ b/app/controllers/projects/wikis_controller.rb
@@ -45,7 +45,7 @@ class Projects::WikisController < Projects::ApplicationController

      render 'show'
    elsif file_blob
-      send_blob(@project_wiki.repository, file_blob, allow_caching: @project.public?)
+      send_blob(@project_wiki.repository, file_blob)
    elsif show_create_form?
      # Assign a title to the WikiPage unless `id` is a randomly generated slug from #new
      title = params[:id] unless params[:random_title].present?

--- a/app/finders/events_finder.rb
+++ b/app/finders/events_finder.rb
@@ -33,6 +33,8 @@ class EventsFinder
  end

  def execute
+    return Event.none if cannot_access_private_profile?
+
    events = get_events

    events = by_current_user_access(events)
@@ -102,6 +104,10 @@ class EventsFinder
  end
  # rubocop: enable CodeReuse/ActiveRecord

+  def cannot_access_private_profile?
+    source.is_a?(User) && !Ability.allowed?(current_user, :read_user_profile, source)
+  end
+
  def sort(events)
    return events unless params[:sort]


--- a/app/models/merge_request.rb
+++ b/app/models/merge_request.rb
@@ -513,7 +513,7 @@ class MergeRequest < ApplicationRecord
      participants << merge_user
    end

-    participants
+    participants.select { |participant| Ability.allowed?(participant, :read_merge_request, self) }
  end

  def first_commit

--- a/changelogs/unreleased/private-profile-api.yml
+++ b/changelogs/unreleased/private-profile-api.yml
+---
+title: Do not show activity for users with private profiles
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-215175-filter-merge-participants.yml
+++ b/changelogs/unreleased/security-215175-filter-merge-participants.yml
+---
+title: Check access when sending TODOs related to merge requests
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-disable-caching-for-wiki-attachments.yml
+++ b/changelogs/unreleased/security-disable-caching-for-wiki-attachments.yml
+---
+title: Disable caching for wiki attachments
+merge_request:
+author:
+type: security
--- a/spec/controllers/projects/wikis_controller_spec.rb
+++ b/spec/controllers/projects/wikis_controller_spec.rb
@@ -141,43 +141,19 @@ describe Projects::WikisController do
    context 'when page is a file' do
      include WikiHelpers

-      let(:id) { upload_file_to_wiki(project, user, file_name) }
+      where(:file_name) { ['dk.png', 'unsanitized.svg', 'git-cheat-sheet.pdf'] }

-      context 'when file is an image' do
-        let(:file_name) { 'dk.png' }
+      with_them do
+        let(:id) { upload_file_to_wiki(project, user, file_name) }

-        it 'delivers the image' do
+        it 'delivers the file with the correct headers' do
          subject

          expect(response.headers['Content-Disposition']).to match(/^inline/)
-          expect(response.headers[Gitlab::Workhorse::DETECT_HEADER]).to eq "true"
+          expect(response.headers[Gitlab::Workhorse::DETECT_HEADER]).to eq('true')
+          expect(response.cache_control[:public]).to be(false)
+          expect(response.cache_control[:extras]).to include('no-store')
        end
-
-        context 'when file is a svg' do
-          let(:file_name) { 'unsanitized.svg' }
-
-          it 'delivers the image' do
-            subject
-
-            expect(response.headers['Content-Disposition']).to match(/^inline/)
-            expect(response.headers[Gitlab::Workhorse::DETECT_HEADER]).to eq "true"
-          end
-        end
-
-        it_behaves_like 'project cache control headers'
-      end
-
-      context 'when file is a pdf' do
-        let(:file_name) { 'git-cheat-sheet.pdf' }
-
-        it 'sets the content type to sets the content response headers' do
-          subject
-
-          expect(response.headers['Content-Disposition']).to match(/^inline/)
-          expect(response.headers[Gitlab::Workhorse::DETECT_HEADER]).to eq "true"
-        end
-
-        it_behaves_like 'project cache control headers'
      end
    end
  end

--- a/spec/finders/events_finder_spec.rb
+++ b/spec/finders/events_finder_spec.rb
@@ -4,6 +4,7 @@ require 'spec_helper'

 describe EventsFinder do
  let_it_be(:user) { create(:user) }
+  let(:private_user) { create(:user, private_profile: true) }
  let(:other_user) { create(:user) }

  let(:project1) { create(:project, :private, creator_id: user.id, namespace: user.namespace) }
@@ -57,6 +58,12 @@ describe EventsFinder do

      expect(events).to be_empty
    end
+
+    it 'returns nothing when the target profile is private' do
+      events = described_class.new(source: private_user, current_user: other_user).execute
+
+      expect(events).to be_empty
+    end
  end

  describe 'wiki events feature flag' do

--- a/spec/models/merge_request_spec.rb
+++ b/spec/models/merge_request_spec.rb
@@ -3458,7 +3458,7 @@ describe MergeRequest do

  describe '#merge_participants' do
    it 'contains author' do
-      expect(subject.merge_participants).to eq([subject.author])
+      expect(subject.merge_participants).to contain_exactly(subject.author)
    end

    describe 'when merge_when_pipeline_succeeds? is true' do
@@ -3472,8 +3472,20 @@ describe MergeRequest do
                 author: user)
        end

-        it 'contains author only' do
-          expect(subject.merge_participants).to eq([subject.author])
+        context 'author is not a project member' do
+          it 'is empty' do
+            expect(subject.merge_participants).to be_empty
+          end
+        end
+
+        context 'author is a project member' do
+          before do
+            subject.project.team.add_reporter(user)
+          end
+
+          it 'contains author only' do
+            expect(subject.merge_participants).to contain_exactly(subject.author)
+          end
        end
      end

@@ -3486,8 +3498,24 @@ describe MergeRequest do
                 merge_user: merge_user)
        end

-        it 'contains author and merge user' do
-          expect(subject.merge_participants).to eq([subject.author, merge_user])
+        before do
+          subject.project.team.add_reporter(subject.author)
+        end
+
+        context 'merge user is not a member' do
+          it 'contains author only' do
+            expect(subject.merge_participants).to contain_exactly(subject.author)
+          end
+        end
+
+        context 'both author and merge users are project members' do
+          before do
+            subject.project.team.add_reporter(merge_user)
+          end
+
+          it 'contains author and merge user' do
+            expect(subject.merge_participants).to contain_exactly(subject.author, merge_user)
+          end
        end
      end
    end

--- a/spec/requests/api/events_spec.rb
+++ b/spec/requests/api/events_spec.rb
@@ -192,6 +192,19 @@ describe API::Events do
        end
      end

+      context 'when target users profile is private' do
+        it 'returns no events' do
+          user.update!(private_profile: true)
+          private_project.add_developer(non_member)
+
+          get api("/users/#{user.username}/events", non_member)
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to include_pagination_headers
+          expect(json_response).to eq([])
+        end
+      end
+
      context 'when scope is passed' do
        context 'when unauthenticated' do
          it 'returns no user events' do