Commit 6a513927 authored by Douwe Maan's avatar Douwe Maan Committed by Tomasz Maczukin

Merge branch 'fix/unauthorized-access-to-build-data' into 'master'

Remove 'unscoped' from project builds selection

This is a fix for this security bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/18188

/cc @kamil @grzegorz @stanhu

See merge request !1968
parent 767d3223
...@@ -7,6 +7,7 @@ v 8.8.5 ...@@ -7,6 +7,7 @@ v 8.8.5
- Fix importer for GitHub comments on diff - Fix importer for GitHub comments on diff
- Adjust the SAML control flow to allow LDAP identities to be added to an existing SAML user - Adjust the SAML control flow to allow LDAP identities to be added to an existing SAML user
- Fix incremental trace upload API when using multi-byte UTF-8 chars in trace - Fix incremental trace upload API when using multi-byte UTF-8 chars in trace
- Prevent unauthorized access for projects build traces
v 8.8.4 v 8.8.4
- Fix LDAP-based login for users with 2FA enabled. !4493 - Fix LDAP-based login for users with 2FA enabled. !4493
......
...@@ -37,7 +37,7 @@ class Projects::ArtifactsController < Projects::ApplicationController ...@@ -37,7 +37,7 @@ class Projects::ArtifactsController < Projects::ApplicationController
private private
def build def build
@build ||= project.builds.unscoped.find_by!(id: params[:build_id]) @build ||= project.builds.find_by!(id: params[:build_id])
end end
def artifacts_file def artifacts_file
......
...@@ -81,7 +81,7 @@ class Projects::BuildsController < Projects::ApplicationController ...@@ -81,7 +81,7 @@ class Projects::BuildsController < Projects::ApplicationController
private private
def build def build
@build ||= project.builds.unscoped.find_by!(id: params[:id]) @build ||= project.builds.find_by!(id: params[:id])
end end
def build_path(build) def build_path(build)
......
...@@ -7,6 +7,7 @@ describe "Builds" do ...@@ -7,6 +7,7 @@ describe "Builds" do
login_as(:user) login_as(:user)
@commit = FactoryGirl.create :ci_commit @commit = FactoryGirl.create :ci_commit
@build = FactoryGirl.create :ci_build, commit: @commit @build = FactoryGirl.create :ci_build, commit: @commit
@build2 = FactoryGirl.create :ci_build
@project = @commit.project @project = @commit.project
@project.team << [@user, :developer] @project.team << [@user, :developer]
end end
...@@ -66,13 +67,24 @@ describe "Builds" do ...@@ -66,13 +67,24 @@ describe "Builds" do
end end
describe "GET /:project/builds/:id" do describe "GET /:project/builds/:id" do
before do context "Build from project" do
visit namespace_project_build_path(@project.namespace, @project, @build) before do
visit namespace_project_build_path(@project.namespace, @project, @build)
end
it { expect(page.status_code).to eq(200) }
it { expect(page).to have_content @commit.sha[0..7] }
it { expect(page).to have_content @commit.git_commit_message }
it { expect(page).to have_content @commit.git_author_name }
end end
it { expect(page).to have_content @commit.sha[0..7] } context "Build from other project" do
it { expect(page).to have_content @commit.git_commit_message } before do
it { expect(page).to have_content @commit.git_author_name } visit namespace_project_build_path(@project.namespace, @project, @build2)
end
it { expect(page.status_code).to eq(404) }
end
context "Download artifacts" do context "Download artifacts" do
before do before do
...@@ -103,51 +115,143 @@ describe "Builds" do ...@@ -103,51 +115,143 @@ describe "Builds" do
end end
describe "POST /:project/builds/:id/cancel" do describe "POST /:project/builds/:id/cancel" do
before do context "Build from project" do
@build.run! before do
visit namespace_project_build_path(@project.namespace, @project, @build) @build.run!
click_link "Cancel" visit namespace_project_build_path(@project.namespace, @project, @build)
click_link "Cancel"
end
it { expect(page.status_code).to eq(200) }
it { expect(page).to have_content 'canceled' }
it { expect(page).to have_content 'Retry' }
end end
it { expect(page).to have_content 'canceled' } context "Build from other project" do
it { expect(page).to have_content 'Retry' } before do
@build.run!
visit namespace_project_build_path(@project.namespace, @project, @build)
page.driver.post(cancel_namespace_project_build_path(@project.namespace, @project, @build2))
end
it { expect(page.status_code).to eq(404) }
end
end end
describe "POST /:project/builds/:id/retry" do describe "POST /:project/builds/:id/retry" do
before do context "Build from project" do
@build.run! before do
visit namespace_project_build_path(@project.namespace, @project, @build) @build.run!
click_link "Cancel" visit namespace_project_build_path(@project.namespace, @project, @build)
click_link 'Retry' click_link 'Cancel'
click_link 'Retry'
end
it { expect(page.status_code).to eq(200) }
it { expect(page).to have_content 'pending' }
it { expect(page).to have_content 'Cancel' }
end end
it { expect(page).to have_content 'pending' } context "Build from other project" do
it { expect(page).to have_content 'Cancel' } before do
@build.run!
visit namespace_project_build_path(@project.namespace, @project, @build)
click_link 'Cancel'
page.driver.post(retry_namespace_project_build_path(@project.namespace, @project, @build2))
end
it { expect(page.status_code).to eq(404) }
end
end end
describe "GET /:project/builds/:id/download" do describe "GET /:project/builds/:id/download" do
before do context "Build from project" do
@build.update_attributes(artifacts_file: artifacts_file) before do
visit namespace_project_build_path(@project.namespace, @project, @build) @build.update_attributes(artifacts_file: artifacts_file)
page.within('.artifacts') { click_link 'Download' } visit namespace_project_build_path(@project.namespace, @project, @build)
page.within('.artifacts') { click_link 'Download' }
end
it { expect(page.status_code).to eq(200) }
it { expect(page.response_headers['Content-Type']).to eq(artifacts_file.content_type) }
end end
it { expect(page.response_headers['Content-Type']).to eq(artifacts_file.content_type) } context "Build from other project" do
before do
@build2.update_attributes(artifacts_file: artifacts_file)
visit download_namespace_project_build_artifacts_path(@project.namespace, @project, @build2)
end
it { expect(page.status_code).to eq(404) }
end
end end
describe "GET /:project/builds/:id/raw" do describe "GET /:project/builds/:id/raw" do
before do context "Build from project" do
Capybara.current_session.driver.header('X-Sendfile-Type', 'X-Sendfile') before do
@build.run! Capybara.current_session.driver.header('X-Sendfile-Type', 'X-Sendfile')
@build.trace = 'BUILD TRACE' @build.run!
visit namespace_project_build_path(@project.namespace, @project, @build) @build.trace = 'BUILD TRACE'
visit namespace_project_build_path(@project.namespace, @project, @build)
page.within('.build-controls') { click_link 'Raw' }
end
it 'sends the right headers' do
expect(page.status_code).to eq(200)
expect(page.response_headers['Content-Type']).to eq('text/plain; charset=utf-8')
expect(page.response_headers['X-Sendfile']).to eq(@build.path_to_trace)
end
end
context "Build from other project" do
before do
Capybara.current_session.driver.header('X-Sendfile-Type', 'X-Sendfile')
@build2.run!
@build2.trace = 'BUILD TRACE'
visit raw_namespace_project_build_path(@project.namespace, @project, @build2)
puts page.status_code
puts current_url
end
it 'sends the right headers' do
expect(page.status_code).to eq(404)
end
end
end
describe "GET /:project/builds/:id/trace.json" do
context "Build from project" do
before do
visit trace_namespace_project_build_path(@project.namespace, @project, @build, format: :json)
end
it { expect(page.status_code).to eq(200) }
end
context "Build from other project" do
before do
visit trace_namespace_project_build_path(@project.namespace, @project, @build2, format: :json)
end
it { expect(page.status_code).to eq(404) }
end
end
describe "GET /:project/builds/:id/status" do
context "Build from project" do
before do
visit status_namespace_project_build_path(@project.namespace, @project, @build)
end
it { expect(page.status_code).to eq(200) }
end end
it 'sends the right headers' do context "Build from other project" do
page.within('.build-controls') { click_link 'Raw' } before do
visit status_namespace_project_build_path(@project.namespace, @project, @build2)
end
expect(page.response_headers['Content-Type']).to eq('text/plain; charset=utf-8') it { expect(page.status_code).to eq(404) }
expect(page.response_headers['X-Sendfile']).to eq(@build.path_to_trace)
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment