Merge branch 'fix-project-hook-delete-permissions' into 'master'

Prevent users from deleting Webhooks via API they do not own Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15576 See merge request !1959 Signed-off-by: Rémy Coutable <remy@rymai.me>

Merge branch 'fix-project-hook-delete-permissions' into 'master'
Prevent users from deleting Webhooks via API they do not own Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15576 See merge request !1959 Signed-off-by: Rémy Coutable <remy@rymai.me>
a818f0fc · Rémy Coutable · Rémy Coutable · fb7b8265 · a818f0fc · a818f0fc
Commit a818f0fc authored Apr 25, 2016 by Rémy Coutable Committed by Rémy Coutable Apr 26, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 4 deletions

CHANGELOG CHANGELOG +1 -0

lib/api/project_hooks.rb lib/api/project_hooks.rb +2 -2

spec/requests/api/project_hooks_spec.rb spec/requests/api/project_hooks_spec.rb +12 -2

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -7,6 +7,7 @@ v 8.6.8
  - Fix vulnerability that leaks private labels and milestones
  - Prevent XSS with in label dropdown
  - Prevent privilege escalation via "impersonate" feature
+  - Prevent users from deleting Webhooks via API they do not own
  - Prevent information disclosure via milestone API
  - Prevent information disclosure via snippet API
  - Prevent information disclosure via new merge request page

--- a/lib/api/project_hooks.rb
+++ b/lib/api/project_hooks.rb
@@ -103,10 +103,10 @@ module API
        required_attributes! [:hook_id]

        begin
-          @hook = ProjectHook.find(params[:hook_id])
-          @hook.destroy
+          @hook = user_project.hooks.destroy(params[:hook_id])
        rescue
          # ProjectHook can raise Error if hook_id not found
+          not_found!("Error deleting hook #{params[:hook_id]}")
        end
      end
    end

--- a/spec/requests/api/project_hooks_spec.rb
+++ b/spec/requests/api/project_hooks_spec.rb
@@ -148,14 +148,24 @@ describe API::API, 'ProjectHooks', api: true do
      expect(response.status).to eq(200)
    end

-    it "should return success when deleting non existent hook" do
+    it "should return a 404 error when deleting non existent hook" do
      delete api("/projects/#{project.id}/hooks/42", user)
-      expect(response.status).to eq(200)
+      expect(response.status).to eq(404)
    end

    it "should return a 405 error if hook id not given" do
      delete api("/projects/#{project.id}/hooks", user)
      expect(response.status).to eq(405)
    end
+
+    it "shold return a 404 if a user attempts to delete project hooks he/she does not own" do
+      test_user = create(:user)
+      other_project = create(:project)
+      other_project.team << [test_user, :master]
+
+      delete api("/projects/#{other_project.id}/hooks/#{hook.id}", test_user)
+      expect(response.status).to eq(404)
+      expect(WebHook.exists?(hook.id)).to be_truthy
+    end
  end
 end