Commit d8b4e585 authored by Yorick Peterse's avatar Yorick Peterse

Merge branch 'security-tags-oracle' into 'master'

Prevent Releases links API to leak tag existence

Closes #2795

See merge request gitlab/gitlabhq!2893
parents 9d9591f4 d5c858cd
---
title: Prevent releases links API to leak tag existance
merge_request:
author:
type: security
...@@ -8,6 +8,8 @@ module API ...@@ -8,6 +8,8 @@ module API
RELEASE_ENDPOINT_REQUIREMETS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS RELEASE_ENDPOINT_REQUIREMETS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS
.merge(tag_name: API::NO_SLASH_URL_PART_REGEX) .merge(tag_name: API::NO_SLASH_URL_PART_REGEX)
before { authorize! :read_release, user_project }
params do params do
requires :id, type: String, desc: 'The ID of a project' requires :id, type: String, desc: 'The ID of a project'
end end
......
...@@ -73,6 +73,22 @@ describe API::Release::Links do ...@@ -73,6 +73,22 @@ describe API::Release::Links do
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
end end
end end
context 'when project is public and the repository is private' do
let(:project) { create(:project, :repository, :public, :repository_private) }
it_behaves_like '403 response' do
let(:request) { get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member) }
end
context 'when the release does not exists' do
let!(:release) { }
it_behaves_like '403 response' do
let(:request) { get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member) }
end
end
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment