Commit d021e628 authored by Kamil Trzciński's avatar Kamil Trzciński Committed by Robert Speicher

Merge branch 'mc/bug/38984-wildcard-protected-tags' into 'security-10-4'

Fix using wildcards in protected tags to expose protected variables
parent 886b3a63
......@@ -1601,9 +1601,12 @@ class Project < ActiveRecord::Base
end
def protected_for?(ref)
ProtectedBranch.protected?(self, ref) ||
if repository.branch_exists?(ref)
ProtectedBranch.protected?(self, ref)
elsif repository.tag_exists?(ref)
ProtectedTag.protected?(self, ref)
end
end
def deployment_variables(environment: nil)
deployment_platform(environment: environment)&.predefined_variables || []
......
---
title: Fix wilcard protected tags protecting all branches
merge_request:
author:
type: security
......@@ -1609,7 +1609,7 @@ describe Ci::Build do
context 'when the branch is protected' do
before do
create(:protected_branch, project: build.project, name: build.ref)
allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
end
it { is_expected.to include(protected_variable) }
......@@ -1617,7 +1617,7 @@ describe Ci::Build do
context 'when the tag is protected' do
before do
create(:protected_tag, project: build.project, name: build.ref)
allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
end
it { is_expected.to include(protected_variable) }
......@@ -1654,7 +1654,7 @@ describe Ci::Build do
context 'when the branch is protected' do
before do
create(:protected_branch, project: build.project, name: build.ref)
allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
end
it { is_expected.to include(protected_variable) }
......@@ -1662,7 +1662,7 @@ describe Ci::Build do
context 'when the tag is protected' do
before do
create(:protected_tag, project: build.project, name: build.ref)
allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
end
it { is_expected.to include(protected_variable) }
......
......@@ -569,7 +569,7 @@ describe Group do
context 'when the ref is a protected branch' do
before do
create(:protected_branch, name: 'ref', project: project)
allow(project).to receive(:protected_for?).with('ref').and_return(true)
end
it_behaves_like 'ref is protected'
......@@ -577,7 +577,7 @@ describe Group do
context 'when the ref is a protected tag' do
before do
create(:protected_tag, name: 'ref', project: project)
allow(project).to receive(:protected_for?).with('ref').and_return(true)
end
it_behaves_like 'ref is protected'
......@@ -591,6 +591,10 @@ describe Group do
let(:variable_child_2) { create(:ci_group_variable, group: group_child_2) }
let(:variable_child_3) { create(:ci_group_variable, group: group_child_3) }
before do
allow(project).to receive(:protected_for?).with('ref').and_return(true)
end
it 'returns all variables belong to the group and parent groups' do
expected_array1 = [protected_variable, secret_variable]
expected_array2 = [variable_child, variable_child_2, variable_child_3]
......
......@@ -2492,7 +2492,7 @@ describe Project do
context 'when the ref is a protected branch' do
before do
create(:protected_branch, name: 'ref', project: project)
allow(project).to receive(:protected_for?).with('ref').and_return(true)
end
it_behaves_like 'ref is protected'
......@@ -2500,7 +2500,7 @@ describe Project do
context 'when the ref is a protected tag' do
before do
create(:protected_tag, name: 'ref', project: project)
allow(project).to receive(:protected_for?).with('ref').and_return(true)
end
it_behaves_like 'ref is protected'
......@@ -2525,6 +2525,8 @@ describe Project do
context 'when the ref is a protected branch' do
before do
allow(project).to receive(:repository).and_call_original
allow(project).to receive_message_chain(:repository, :branch_exists?).and_return(true)
create(:protected_branch, name: 'ref', project: project)
end
......@@ -2535,6 +2537,8 @@ describe Project do
context 'when the ref is a protected tag' do
before do
allow(project).to receive_message_chain(:repository, :branch_exists?).and_return(false)
allow(project).to receive_message_chain(:repository, :tag_exists?).and_return(true)
create(:protected_tag, name: 'ref', project: project)
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment