Merge branch 'master' of dev.gitlab.org:gitlab/gitlab-ee

d807e546 · Marin Jankovski · 631562eb · 6303f92a · d807e546 · d807e546
Commit d807e546 authored Oct 07, 2019 by Marin Jankovski
6 changed files
--- a/CHANGELOG-EE.md
+++ b/CHANGELOG-EE.md
@@ -203,6 +203,13 @@ Please view this file on the master branch, on stable branches it's out of date.
 - Fixes style-lint errors and warnings for EE builds.scss file.


+## 12.2.8
+
+### Fixed (1 change)
+
+- Geo: LFS not being synced. !17633
+
+
 ## 12.2.7

 ### Security (1 change)
@@ -471,6 +478,13 @@ Please view this file on the master branch, on stable branches it's out of date.
 - Fix alignment of activity dropdown in epic tabs; add counter to discussion tab.


+## 12.1.14
+
+### Fixed (1 change)
+
+- Geo: LFS not being synced. !17633
+
+
 ## 12.1.12

 ### Security (4 changes)

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -307,6 +307,13 @@ entry.
 - Updates tooltip of 'detached' label/state.


+## 12.2.8
+
+### Security (1 change)
+
+- Limit search for IID to a type to avoid leaking records with the same IID that the user does not have access to.
+
+
 ## 12.2.7

 ### Security (1 change)
@@ -649,6 +656,13 @@ entry.
 - Update Packer.gitlab-ci.yml to use latest image. (Kelly Hair)


+## 12.1.14
+
+### Security (1 change)
+
+- Limit search for IID to a type to avoid leaking records with the same IID that the user does not have access to.
+
+
 ## 12.1.12

 ### Security (12 changes)

--- a/changelogs/unreleased/security-search-by-iid-leaks-data.yml
+++ b/changelogs/unreleased/security-search-by-iid-leaks-data.yml
+---
+title: Limit search for IID to a type to avoid leaking records with the same IID that
+  the user does not have access to
+merge_request:
+author:
+type: security
--- a/ee/lib/elastic/latest/application_class_proxy.rb
+++ b/ee/lib/elastic/latest/application_class_proxy.rb
@@ -82,7 +82,10 @@ module Elastic
        {
          query: {
            bool: {
-              filter: [{ term: { iid: iid } }]
+              filter: [
+                { term: { iid: iid } },
+                { term: { type: self.es_type } }
+              ]
            }
          }
        }

--- a/ee/spec/models/concerns/elastic/issue_spec.rb
+++ b/ee/spec/models/concerns/elastic/issue_spec.rb
@@ -75,6 +75,28 @@ describe Issue, :elastic do
    expect(described_class.elastic_search('bla-bla', options: { project_ids: :any, public_and_internal_projects: true }).total_count).to eq(3)
  end

+  it "searches by iid and scopes to type: issue only" do
+    issue = nil
+
+    Sidekiq::Testing.inline! do
+      issue = create :issue, title: 'bla-bla issue', project: project
+      create :issue, description: 'term2 in description', project: project
+
+      # MergeRequest with the same iid should not be found in Issue search
+      create :merge_request, title: 'bla-bla', source_project: project, iid: issue.iid
+
+      Gitlab::Elastic::Helper.refresh_index
+    end
+
+    # User needs to be admin or the MergeRequest would just be filtered by
+    # confidential: false
+    options = { project_ids: [project.id], current_user: admin }
+
+    results = described_class.elastic_search("##{issue.iid}", options: options)
+    expect(results.total_count).to eq(1)
+    expect(results.first.title).to eq('bla-bla issue')
+  end
+
  it "returns json with all needed elements" do
    assignee = create(:user)
    issue = create :issue, project: project, assignees: [assignee]

--- a/ee/spec/models/concerns/elastic/merge_request_spec.rb
+++ b/ee/spec/models/concerns/elastic/merge_request_spec.rb
@@ -40,6 +40,27 @@ describe MergeRequest, :elastic do
    expect(described_class.elastic_search('term3', options: { project_ids: :any, public_and_internal_projects: true }).total_count).to eq(1)
  end

+  it "searches by iid and scopes to type: merge_request only" do
+    project = create :project, :public, :repository
+    merge_request = nil
+
+    Sidekiq::Testing.inline! do
+      merge_request = create :merge_request, title: 'bla-bla merge request', source_project: project
+      create :merge_request, description: 'term2 in description', source_project: project, target_branch: "feature2"
+
+      # Issue with the same iid should not be found in MergeRequest search
+      create :issue, project: project, iid: merge_request.iid
+
+      Gitlab::Elastic::Helper.refresh_index
+    end
+
+    options = { project_ids: [project.id] }
+
+    results = described_class.elastic_search("!#{merge_request.iid}", options: options)
+    expect(results.total_count).to eq(1)
+    expect(results.first.title).to eq('bla-bla merge request')
+  end
+
  it "returns json with all needed elements" do
    merge_request = create :merge_request