Prevent leaking information when issue is moved

Prevent leaking namespace and project names on moved issue links

Prevent leaking information when issue is moved
Prevent leaking namespace and project names on moved issue links
ff06452e · Felipe Artur · b4165554 · ff06452e · ff06452e · ff06452e
Commit ff06452e authored Apr 08, 2019 by Felipe Artur
3 changed files
--- a/app/views/projects/issues/show.html.haml
+++ b/app/views/projects/issues/show.html.haml
@@ -15,7 +15,7 @@
    .issuable-status-box.status-box.status-box-issue-closed{ class: issue_button_visibility(@issue, false) }
      = sprite_icon('mobile-issue-close', size: 16, css_class: 'd-block d-sm-none')
      .d-none.d-sm-block
-        - if @issue.moved?
+        - if @issue.moved? && can?(current_user, :read_issue, @issue.moved_to)
          - moved_link_start = "<a href=\"#{issue_path(@issue.moved_to)}\" class=\"text-white text-underline\">".html_safe
          - moved_link_end = '</a>'.html_safe
          = s_('IssuableStatus|Closed (%{moved_link_start}moved%{moved_link_end})').html_safe % {moved_link_start: moved_link_start,

--- a/changelogs/unreleased/security-issue_2830.yml
+++ b/changelogs/unreleased/security-issue_2830.yml
+---
+title: 'Resolve: moving an issue to private repo leaks namespace and project name'
+merge_request:
+author:
+type: security
--- a/spec/views/projects/issues/show.html.haml_spec.rb
+++ b/spec/views/projects/issues/show.html.haml_spec.rb
@@ -19,6 +19,7 @@ describe 'projects/issues/show' do
  context 'when the issue is closed' do
    before do
      allow(issue).to receive(:closed?).and_return(true)
+      allow(view).to receive(:current_user).and_return(user)
    end
    context 'when the issue was moved' do
@@ -28,16 +29,30 @@ describe 'projects/issues/show' do
        issue.moved_to = new_issue
      end
-      it 'shows "Closed (moved)" if an issue has been moved' do
+      context 'when user can see the moved issue' do
-        render
+        before do
+          project.add_developer(user)
+        end
-        expect(rendered).to have_selector('.status-box-issue-closed:not(.hidden)', text: 'Closed (moved)')
+        it 'shows "Closed (moved)" if an issue has been moved' do
+          render
+          expect(rendered).to have_selector('.status-box-issue-closed:not(.hidden)', text: 'Closed (moved)')
+        end
+        it 'links "moved" to the new issue the original issue was moved to' do
+          render
+          expect(rendered).to have_selector("a[href=\"#{issue_path(new_issue)}\"]", text: 'moved')
+        end
      end
-      it 'links "moved" to the new issue the original issue was moved to' do
+      context 'when user cannot see moved issue' do
-        render
+        it 'does not show moved issue link' do
+          render
-        expect(rendered).to have_selector("a[href=\"#{issue_path(new_issue)}\"]", text: 'moved')
+          expect(rendered).not_to have_selector("a[href=\"#{issue_path(new_issue)}\"]", text: 'moved')
+        end
      end
    end