Commit c5b79e96 authored by Avielle Wolfe's avatar Avielle Wolfe Committed by GitLab Release Tools Bot

Restrict CI lint access to pipeline creators

Merge branch 'security-aw-355738-restrict-ci-config-access-14-10' into '14-10-stable-ee'

See merge request gitlab-org/security/gitlab!2515

Changelog: security
parent 43645436
......@@ -12,7 +12,7 @@ module Resolvers
Should not be requested more than once per request.
MD
authorize :read_pipeline
authorize :create_pipeline
argument :project_path, GraphQL::Types::ID,
required: true,
......
......@@ -407,6 +407,9 @@ and [Helm Chart deployments](https://docs.gitlab.com/charts/). They come with ap
- The upgrade to GitLab 14.10 executes a [concurrent index drop](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/84308) of unneeded
entries from the `ci_job_artifacts` database table. This could potentially run for multiple minutes, especially if the table has a lot of
traffic and the migration is unable to acquire a lock. It is advised to let this process finish as restarting may result in data loss.
- Unauthenticated requests to the [`ciConfig` GraphQL field](../api/graphql/reference/index.md#queryciconfig) are no longer supported.
Before you upgrade to GitLab 15.1, add an [access token](../api/index.md#authentication) to your requests.
The user creating the token must have [permission](../user/permissions.md) to create pipelines in the project.
### 14.9.0
......
......@@ -7,24 +7,13 @@ RSpec.describe Resolvers::Ci::ConfigResolver do
describe '#resolve' do
let_it_be(:user) { create(:user) }
let_it_be(:project) { create(:project, :repository, creator: user, namespace: user.namespace) }
let_it_be(:project) { create(:project, :repository) }
let_it_be(:sha) { nil }
let_it_be(:content) do
File.read(Rails.root.join('spec/support/gitlab_stubs/gitlab_ci_includes.yml'))
end
let(:ci_lint) do
ci_lint_double = instance_double(::Gitlab::Ci::Lint)
allow(ci_lint_double).to receive(:validate).and_return(fake_result)
ci_lint_double
end
before do
allow(::Gitlab::Ci::Lint).to receive(:new).and_return(ci_lint)
end
subject(:response) do
resolve(described_class,
args: { project_path: project.full_path, content: content, sha: sha },
......@@ -49,6 +38,20 @@ RSpec.describe Resolvers::Ci::ConfigResolver do
end
end
context 'when the user can create a pipeline' do
let(:ci_lint) do
ci_lint_double = instance_double(::Gitlab::Ci::Lint)
allow(ci_lint_double).to receive(:validate).and_return(fake_result)
ci_lint_double
end
before do
allow(::Gitlab::Ci::Lint).to receive(:new).and_return(ci_lint)
project.add_developer(user)
end
context 'with a valid .gitlab-ci.yml' do
context 'with a sha' do
let(:sha) { '1231231' }
......@@ -75,7 +78,7 @@ RSpec.describe Resolvers::Ci::ConfigResolver do
it 'responds with errors about invalid syntax' do
expect(response[:status]).to eq(:invalid)
expect(response[:errors]).to eq(['Invalid configuration format'])
expect(response[:errors]).to match_array(['Invalid configuration format'])
end
end
......@@ -97,4 +100,15 @@ RSpec.describe Resolvers::Ci::ConfigResolver do
end
end
end
context 'when the user cannot create a pipeline' do
before do
project.add_guest(user)
end
it 'returns an error stating that the user cannot access the linting' do
expect { response }.to raise_error(::Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment