Merge branch 'mc/bug/38984-wildcard-protected-tags' into 'security-10-4'

Fix using wildcards in protected tags to expose protected variables

Merge branch 'mc/bug/38984-wildcard-protected-tags' into 'security-10-4'
Fix using wildcards in protected tags to expose protected variables
d021e628 · Kamil Trzciński · Robert Speicher · 886b3a63 · d021e628 · d021e628
Commit d021e628 authored Jan 26, 2018 by Kamil Trzciński Committed by Robert Speicher Feb 09, 2018
5 changed files
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -1601,9 +1601,12 @@ class Project < ActiveRecord::Base
  end

  def protected_for?(ref)
-    ProtectedBranch.protected?(self, ref) ||
+    if repository.branch_exists?(ref)
+      ProtectedBranch.protected?(self, ref)
+    elsif repository.tag_exists?(ref)
      ProtectedTag.protected?(self, ref)
    end
+  end

  def deployment_variables(environment: nil)
    deployment_platform(environment: environment)&.predefined_variables || []

--- a/changelogs/unreleased/mc-bug-38984-wildcard-protected-tags.yml
+++ b/changelogs/unreleased/mc-bug-38984-wildcard-protected-tags.yml
+---
+title: Fix wilcard protected tags protecting all branches
+merge_request:
+author:
+type: security
--- a/spec/models/ci/build_spec.rb
+++ b/spec/models/ci/build_spec.rb
@@ -1609,7 +1609,7 @@ describe Ci::Build do

      context 'when the branch is protected' do
        before do
-          create(:protected_branch, project: build.project, name: build.ref)
+          allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
        end

        it { is_expected.to include(protected_variable) }
@@ -1617,7 +1617,7 @@ describe Ci::Build do

      context 'when the tag is protected' do
        before do
-          create(:protected_tag, project: build.project, name: build.ref)
+          allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
        end

        it { is_expected.to include(protected_variable) }
@@ -1654,7 +1654,7 @@ describe Ci::Build do

      context 'when the branch is protected' do
        before do
-          create(:protected_branch, project: build.project, name: build.ref)
+          allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
        end

        it { is_expected.to include(protected_variable) }
@@ -1662,7 +1662,7 @@ describe Ci::Build do

      context 'when the tag is protected' do
        before do
-          create(:protected_tag, project: build.project, name: build.ref)
+          allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
        end

        it { is_expected.to include(protected_variable) }

--- a/spec/models/group_spec.rb
+++ b/spec/models/group_spec.rb
@@ -569,7 +569,7 @@ describe Group do

    context 'when the ref is a protected branch' do
      before do
-        create(:protected_branch, name: 'ref', project: project)
+        allow(project).to receive(:protected_for?).with('ref').and_return(true)
      end

      it_behaves_like 'ref is protected'
@@ -577,7 +577,7 @@ describe Group do

    context 'when the ref is a protected tag' do
      before do
-        create(:protected_tag, name: 'ref', project: project)
+        allow(project).to receive(:protected_for?).with('ref').and_return(true)
      end

      it_behaves_like 'ref is protected'
@@ -591,6 +591,10 @@ describe Group do
      let(:variable_child_2) { create(:ci_group_variable, group: group_child_2) }
      let(:variable_child_3) { create(:ci_group_variable, group: group_child_3) }

+      before do
+        allow(project).to receive(:protected_for?).with('ref').and_return(true)
+      end
+
      it 'returns all variables belong to the group and parent groups' do
        expected_array1 = [protected_variable, secret_variable]
        expected_array2 = [variable_child, variable_child_2, variable_child_3]

--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -2492,7 +2492,7 @@ describe Project do

    context 'when the ref is a protected branch' do
      before do
-        create(:protected_branch, name: 'ref', project: project)
+        allow(project).to receive(:protected_for?).with('ref').and_return(true)
      end

      it_behaves_like 'ref is protected'
@@ -2500,7 +2500,7 @@ describe Project do

    context 'when the ref is a protected tag' do
      before do
-        create(:protected_tag, name: 'ref', project: project)
+        allow(project).to receive(:protected_for?).with('ref').and_return(true)
      end

      it_behaves_like 'ref is protected'
@@ -2525,6 +2525,8 @@ describe Project do

    context 'when the ref is a protected branch' do
      before do
+        allow(project).to receive(:repository).and_call_original
+        allow(project).to receive_message_chain(:repository, :branch_exists?).and_return(true)
        create(:protected_branch, name: 'ref', project: project)
      end

@@ -2535,6 +2537,8 @@ describe Project do

    context 'when the ref is a protected tag' do
      before do
+        allow(project).to receive_message_chain(:repository, :branch_exists?).and_return(false)
+        allow(project).to receive_message_chain(:repository, :tag_exists?).and_return(true)
        create(:protected_tag, name: 'ref', project: project)
      end