Merge branch 'security-65756-ex-admin-attacker-can-comment-in-internal-12-2' into '12-2-stable'

Improper access control allows the attacker to comment in internal commit after they are no longer admin See merge request gitlab/gitlabhq!3392

Merge branch 'security-65756-ex-admin-attacker-can-comment-in-internal-12-2' into '12-2-stable'
Improper access control allows the attacker to comment in internal commit after they are no longer admin See merge request gitlab/gitlabhq!3392
97dfa40a · GitLab Release Tools Bot · 74bc3906 · b3d5a0a4 · 97dfa40a · 97dfa40a
3 changed file
--- a/app/policies/commit_policy.rb
+++ b/app/policies/commit_policy.rb
@@ -4,4 +4,5 @@ class CommitPolicy < BasePolicy
  delegate { @subject.project }

  rule { can?(:download_code) }.enable :read_commit
+  rule { ~can?(:read_commit) }.prevent :create_note
 end
--- a/changelogs/unreleased/security-65756-ex-admin-attacker-can-comment-in-internal.yml
+++ b/changelogs/unreleased/security-65756-ex-admin-attacker-can-comment-in-internal.yml
+---
+title: Disallow unprivileged users from commenting on private repository commits
+merge_request:
+author:
+type: security
--- a/spec/policies/commit_policy_spec.rb
+++ b/spec/policies/commit_policy_spec.rb
@@ -8,28 +8,42 @@ describe CommitPolicy do
    let(:commit) { project.repository.head_commit }
    let(:policy) { described_class.new(user, commit) }

+    shared_examples 'can read commit and create a note' do
+      it 'can read commit' do
+        expect(policy).to be_allowed(:read_commit)
+      end
+
+      it 'can create a note' do
+        expect(policy).to be_allowed(:create_note)
+      end
+    end
+
+    shared_examples 'cannot read commit nor create a note' do
+      it 'can not read commit' do
+        expect(policy).to be_disallowed(:read_commit)
+      end
+
+      it 'can not create a note' do
+        expect(policy).to be_disallowed(:create_note)
+      end
+    end
+
    context 'when project is public' do
      let(:project) { create(:project, :public, :repository) }

-      it 'can read commit and create a note' do
-        expect(policy).to be_allowed(:read_commit)
-      end
+      it_behaves_like 'can read commit and create a note'

      context 'when repository access level is private' do
        let(:project) { create(:project, :public, :repository, :repository_private) }

-        it 'can not read commit and create a note' do
-          expect(policy).to be_disallowed(:read_commit)
-        end
+        it_behaves_like 'cannot read commit nor create a note'

        context 'when the user is a project member' do
          before do
            project.add_developer(user)
          end

-          it 'can read commit and create a note' do
-            expect(policy).to be_allowed(:read_commit)
-          end
+          it_behaves_like 'can read commit and create a note'
        end
      end
    end
@@ -37,9 +51,7 @@ describe CommitPolicy do
    context 'when project is private' do
      let(:project) { create(:project, :private, :repository) }

-      it 'can not read commit and create a note' do
-        expect(policy).to be_disallowed(:read_commit)
-      end
+      it_behaves_like 'cannot read commit nor create a note'

      context 'when the user is a project member' do
        before do
@@ -50,6 +62,18 @@ describe CommitPolicy do
          expect(policy).to be_allowed(:read_commit)
        end
      end
+
+      context 'when the user is a guest' do
+        before do
+          project.add_guest(user)
+        end
+
+        it_behaves_like 'cannot read commit nor create a note'
+
+        it 'cannot download code' do
+          expect(policy).to be_disallowed(:download_code)
+        end
+      end
    end
  end
 end