Merge branch 'security-bvl-exposure-in-commits-list' into 'master'

[master] Don't expose confidential information in commit message list See merge request gitlab/gitlabhq!2626

Merge branch 'security-bvl-exposure-in-commits-list' into 'master'
[master] Don't expose confidential information in commit message list See merge request gitlab/gitlabhq!2626
e3a5ce58 · Cindy Pallares · 17f83726 · e3a5ce58 · e3a5ce58 · e3a5ce58
Commit e3a5ce58 authored Nov 28, 2018 by Cindy Pallares
3 changed files
--- a/app/views/projects/commits/_commit.html.haml
+++ b/app/views/projects/commits/_commit.html.haml
@@ -8,62 +8,50 @@
 - ref           = local_assigns.fetch(:ref) { merge_request&.source_branch }
 - link = commit_path(project, commit, merge_request: merge_request)
- cache_key = [project.full_path,
+%li.commit.flex-row.js-toggle-container{ id: "commit-#{commit.short_id}" }
-               ref,
-               commit.id,
+  .avatar-cell.d-none.d-sm-block
-               Gitlab::CurrentSettings.current_application_settings,
+    = author_avatar(commit, size: 36, has_tooltip: false)
-               @path.presence,
-               current_controller?(:commits),
+  .commit-detail.flex-list
-               merge_request&.iid,
+    .commit-content.qa-commit-content
-               view_details,
+      - if view_details && merge_request
-               commit.status(ref),
+        = link_to commit.title, project_commit_path(project, commit.id, merge_request_iid: merge_request.iid), class: "commit-row-message item-title"
-               I18n.locale].compact
+      - else
+        = link_to_markdown_field(commit, :title, link, class: "commit-row-message item-title")
-= cache(cache_key, expires_in: 1.day) do
+      %span.commit-row-message.d-block.d-sm-none
-  %li.commit.flex-row.js-toggle-container{ id: "commit-#{commit.short_id}" }
+        &middot;
+        = commit.short_id
-    .avatar-cell.d-none.d-sm-block
+      - if commit.status(ref)
-      = author_avatar(commit, size: 36, has_tooltip: false)
+        .d-block.d-sm-none
+          = render_commit_status(commit, ref: ref)
-    .commit-detail.flex-list
+      - if commit.description?
-      .commit-content.qa-commit-content
+        %button.text-expander.js-toggle-button
-        - if view_details && merge_request
+          = sprite_icon('ellipsis_h', size: 12)
-          = link_to commit.title, project_commit_path(project, commit.id, merge_request_iid: merge_request.iid), class: "commit-row-message item-title"
-        - else
-          = link_to_markdown_field(commit, :title, link, class: "commit-row-message item-title")
-        %span.commit-row-message.d-block.d-sm-none
-          &middot;
-          = commit.short_id
-        - if commit.status(ref)
-          .d-block.d-sm-none
-            = render_commit_status(commit, ref: ref)
-        - if commit.description?
-          %button.text-expander.js-toggle-button
-            = sprite_icon('ellipsis_h', size: 12)
-        .committer
+      .committer
-          - commit_author_link = commit_author_link(commit, avatar: false, size: 24)
+        - commit_author_link = commit_author_link(commit, avatar: false, size: 24)
-          - commit_timeago = time_ago_with_tooltip(commit.authored_date, placement: 'bottom')
+        - commit_timeago = time_ago_with_tooltip(commit.authored_date, placement: 'bottom')
-          - commit_text =  _('%{commit_author_link} authored %{commit_timeago}') % { commit_author_link: commit_author_link, commit_timeago: commit_timeago }
+        - commit_text =  _('%{commit_author_link} authored %{commit_timeago}') % { commit_author_link: commit_author_link, commit_timeago: commit_timeago }
-          #{ commit_text.html_safe }
+        #{ commit_text.html_safe }
-        - if commit.description?
+      - if commit.description?
-          %pre.commit-row-description.js-toggle-content.append-bottom-8
+        %pre.commit-row-description.js-toggle-content.append-bottom-8
-            = preserve(markdown_field(commit, :description))
+          = preserve(markdown_field(commit, :description))
-      .commit-actions.flex-row.d-none.d-sm-flex
+    .commit-actions.flex-row.d-none.d-sm-flex
-        - if request.xhr?
+      - if request.xhr?
-          = render partial: 'projects/commit/signature', object: commit.signature
+        = render partial: 'projects/commit/signature', object: commit.signature
-        - else
+      - else
-          = render partial: 'projects/commit/ajax_signature', locals: { commit: commit }
+        = render partial: 'projects/commit/ajax_signature', locals: { commit: commit }
-        - if commit.status(ref)
+      - if commit.status(ref)
-          = render_commit_status(commit, ref: ref)
+        = render_commit_status(commit, ref: ref)
-        .js-commit-pipeline-status{ data: { endpoint: pipelines_project_commit_path(project, commit.id, ref: ref) } }
+      .js-commit-pipeline-status{ data: { endpoint: pipelines_project_commit_path(project, commit.id, ref: ref) } }
-        .commit-sha-group
+      .commit-sha-group
-          .label.label-monospace
+        .label.label-monospace
-            = commit.short_id
+          = commit.short_id
-          = clipboard_button(text: commit.id, title: _("Copy commit SHA to clipboard"), class: "btn btn-default", container: "body")
+        = clipboard_button(text: commit.id, title: _("Copy commit SHA to clipboard"), class: "btn btn-default", container: "body")
-          = link_to_browse_code(project, commit)
+        = link_to_browse_code(project, commit)
--- a/changelogs/unreleased/security-bvl-exposure-in-commits-list.yml
+++ b/changelogs/unreleased/security-bvl-exposure-in-commits-list.yml
+---
+title: Don't expose confidential information in commit message list
+merge_request:
+author:
+type: security
--- a/spec/features/projects/commits/user_browses_commits_spec.rb
+++ b/spec/features/projects/commits/user_browses_commits_spec.rb
@@ -4,10 +4,9 @@ describe 'User browses commits' do
  include RepoHelpers
  let(:user) { create(:user) }
-  let(:project) { create(:project, :repository, namespace: user.namespace) }
+  let(:project) { create(:project, :public, :repository, namespace: user.namespace) }
  before do
-    project.add_maintainer(user)
    sign_in(user)
  end
@@ -127,6 +126,26 @@ describe 'User browses commits' do
        .and have_selector('entry summary', text: commit.description[0..10].delete("\r\n"))
    end
+    context 'when a commit links to a confidential issue' do
+      let(:confidential_issue) { create(:issue, confidential: true, title: 'Secret issue!', project: project) }
+      before do
+        project.repository.create_file(user, 'dummy-file', 'dummy content',
+                                       branch_name: 'feature',
+                                       message: "Linking #{confidential_issue.to_reference}")
+      end
+      context 'when the user cannot see confidential issues but was cached with a link', :use_clean_rails_memory_store_fragment_caching do
+        it 'does not render the confidential issue' do
+          visit project_commits_path(project, 'feature')
+          sign_in(create(:user))
+          visit project_commits_path(project, 'feature')
+          expect(page).not_to have_link(href: project_issue_path(project, confidential_issue))
+        end
+      end
+    end
    context 'master branch' do
      before do
        visit_commits_page