Commit d021e628 authored by Kamil Trzciński's avatar Kamil Trzciński Committed by Robert Speicher

Merge branch 'mc/bug/38984-wildcard-protected-tags' into 'security-10-4'

Fix using wildcards in protected tags to expose protected variables
parent 886b3a63
...@@ -1601,8 +1601,11 @@ class Project < ActiveRecord::Base ...@@ -1601,8 +1601,11 @@ class Project < ActiveRecord::Base
end end
def protected_for?(ref) def protected_for?(ref)
ProtectedBranch.protected?(self, ref) || if repository.branch_exists?(ref)
ProtectedBranch.protected?(self, ref)
elsif repository.tag_exists?(ref)
ProtectedTag.protected?(self, ref) ProtectedTag.protected?(self, ref)
end
end end
def deployment_variables(environment: nil) def deployment_variables(environment: nil)
......
---
title: Fix wilcard protected tags protecting all branches
merge_request:
author:
type: security
...@@ -1609,7 +1609,7 @@ describe Ci::Build do ...@@ -1609,7 +1609,7 @@ describe Ci::Build do
context 'when the branch is protected' do context 'when the branch is protected' do
before do before do
create(:protected_branch, project: build.project, name: build.ref) allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
end end
it { is_expected.to include(protected_variable) } it { is_expected.to include(protected_variable) }
...@@ -1617,7 +1617,7 @@ describe Ci::Build do ...@@ -1617,7 +1617,7 @@ describe Ci::Build do
context 'when the tag is protected' do context 'when the tag is protected' do
before do before do
create(:protected_tag, project: build.project, name: build.ref) allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
end end
it { is_expected.to include(protected_variable) } it { is_expected.to include(protected_variable) }
...@@ -1654,7 +1654,7 @@ describe Ci::Build do ...@@ -1654,7 +1654,7 @@ describe Ci::Build do
context 'when the branch is protected' do context 'when the branch is protected' do
before do before do
create(:protected_branch, project: build.project, name: build.ref) allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
end end
it { is_expected.to include(protected_variable) } it { is_expected.to include(protected_variable) }
...@@ -1662,7 +1662,7 @@ describe Ci::Build do ...@@ -1662,7 +1662,7 @@ describe Ci::Build do
context 'when the tag is protected' do context 'when the tag is protected' do
before do before do
create(:protected_tag, project: build.project, name: build.ref) allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
end end
it { is_expected.to include(protected_variable) } it { is_expected.to include(protected_variable) }
......
...@@ -569,7 +569,7 @@ describe Group do ...@@ -569,7 +569,7 @@ describe Group do
context 'when the ref is a protected branch' do context 'when the ref is a protected branch' do
before do before do
create(:protected_branch, name: 'ref', project: project) allow(project).to receive(:protected_for?).with('ref').and_return(true)
end end
it_behaves_like 'ref is protected' it_behaves_like 'ref is protected'
...@@ -577,7 +577,7 @@ describe Group do ...@@ -577,7 +577,7 @@ describe Group do
context 'when the ref is a protected tag' do context 'when the ref is a protected tag' do
before do before do
create(:protected_tag, name: 'ref', project: project) allow(project).to receive(:protected_for?).with('ref').and_return(true)
end end
it_behaves_like 'ref is protected' it_behaves_like 'ref is protected'
...@@ -591,6 +591,10 @@ describe Group do ...@@ -591,6 +591,10 @@ describe Group do
let(:variable_child_2) { create(:ci_group_variable, group: group_child_2) } let(:variable_child_2) { create(:ci_group_variable, group: group_child_2) }
let(:variable_child_3) { create(:ci_group_variable, group: group_child_3) } let(:variable_child_3) { create(:ci_group_variable, group: group_child_3) }
before do
allow(project).to receive(:protected_for?).with('ref').and_return(true)
end
it 'returns all variables belong to the group and parent groups' do it 'returns all variables belong to the group and parent groups' do
expected_array1 = [protected_variable, secret_variable] expected_array1 = [protected_variable, secret_variable]
expected_array2 = [variable_child, variable_child_2, variable_child_3] expected_array2 = [variable_child, variable_child_2, variable_child_3]
......
...@@ -2492,7 +2492,7 @@ describe Project do ...@@ -2492,7 +2492,7 @@ describe Project do
context 'when the ref is a protected branch' do context 'when the ref is a protected branch' do
before do before do
create(:protected_branch, name: 'ref', project: project) allow(project).to receive(:protected_for?).with('ref').and_return(true)
end end
it_behaves_like 'ref is protected' it_behaves_like 'ref is protected'
...@@ -2500,7 +2500,7 @@ describe Project do ...@@ -2500,7 +2500,7 @@ describe Project do
context 'when the ref is a protected tag' do context 'when the ref is a protected tag' do
before do before do
create(:protected_tag, name: 'ref', project: project) allow(project).to receive(:protected_for?).with('ref').and_return(true)
end end
it_behaves_like 'ref is protected' it_behaves_like 'ref is protected'
...@@ -2525,6 +2525,8 @@ describe Project do ...@@ -2525,6 +2525,8 @@ describe Project do
context 'when the ref is a protected branch' do context 'when the ref is a protected branch' do
before do before do
allow(project).to receive(:repository).and_call_original
allow(project).to receive_message_chain(:repository, :branch_exists?).and_return(true)
create(:protected_branch, name: 'ref', project: project) create(:protected_branch, name: 'ref', project: project)
end end
...@@ -2535,6 +2537,8 @@ describe Project do ...@@ -2535,6 +2537,8 @@ describe Project do
context 'when the ref is a protected tag' do context 'when the ref is a protected tag' do
before do before do
allow(project).to receive_message_chain(:repository, :branch_exists?).and_return(false)
allow(project).to receive_message_chain(:repository, :tag_exists?).and_return(true)
create(:protected_tag, name: 'ref', project: project) create(:protected_tag, name: 'ref', project: project)
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment