Disallow changing namespace of a project in update method

41af40d4 · Małgorzata Ksionek · bcd4e1f5 · 41af40d4 · 41af40d4 · 41af40d4
3 changed file
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -46,7 +46,7 @@ class ProjectsController < Projects::ApplicationController
  end

  def create
-    @project = ::Projects::CreateService.new(current_user, project_params).execute
+    @project = ::Projects::CreateService.new(current_user, project_params(attributes: project_params_create_attributes)).execute

    if @project.saved?
      cookies[:issue_board_welcome_hidden] = { path: project_path(@project), value: nil, expires: Time.at(0) }
@@ -327,9 +327,9 @@ class ProjectsController < Projects::ApplicationController
  end
  # rubocop: enable CodeReuse/ActiveRecord

-  def project_params
+  def project_params(attributes: project_params_attributes)
    params.require(:project)
-      .permit(project_params_attributes)
+      .permit(attributes)
  end

  def project_params_attributes
@@ -348,11 +348,10 @@ class ProjectsController < Projects::ApplicationController
      :last_activity_at,
      :lfs_enabled,
      :name,
-      :namespace_id,
      :only_allow_merge_if_all_discussions_are_resolved,
      :only_allow_merge_if_pipeline_succeeds,
-      :printing_merge_request_link_enabled,
      :path,
+      :printing_merge_request_link_enabled,
      :public_builds,
      :request_access_enabled,
      :runners_token,
@@ -374,6 +373,10 @@ class ProjectsController < Projects::ApplicationController
    ]
  end

+  def project_params_create_attributes
+    project_params_attributes << :namespace_id
+  end
+
  def custom_import_params
    {}
  end

--- a/changelogs/unreleased/security-mass-assignment-on-project-update.yml
+++ b/changelogs/unreleased/security-mass-assignment-on-project-update.yml
+---
+title: Disallow updating namespace during updating project
+merge_request:
+author:
+type: security
--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -369,6 +369,23 @@ describe ProjectsController do
        end
      end

+      it 'does not update namespace' do
+        controller.instance_variable_set(:@project, project)
+
+        params = {
+          namespace_id: 'test'
+        }
+
+        expect do
+          put :update,
+            params: {
+              namespace_id: project.namespace,
+              id: project.id,
+              project: params
+            }
+        end.not_to change {project.namespace}
+      end
+
      def update_project(**parameters)
        put :update,
            params: {