Add latest changes from gitlab-org/security/gitlab@12-8-stable-ee

a01497b0 · GitLab Bot · ec3f4810 · a01497b0 · a01497b0 · a01497b0
4 changed file
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -614,6 +614,7 @@ module ProjectsHelper

  def find_file_path
    return unless @project && !@project.empty_repo?
+    return unless can?(current_user, :download_code, @project)

    ref = @ref || @project.repository.root_ref


--- a/changelogs/unreleased/bug-codeowner-diffs.yml
+++ b/changelogs/unreleased/bug-codeowner-diffs.yml
+---
+title: Ensure MR diff exists before codeowner check
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-branch-permissions.yml
+++ b/changelogs/unreleased/security-branch-permissions.yml
+---
+title: Prevent unauthorized access to default branch
+merge_request:
+author:
+type: security
--- a/spec/helpers/application_helper_spec.rb
+++ b/spec/helpers/application_helper_spec.rb
@@ -277,11 +277,16 @@ describe ApplicationHelper do
    end

    context 'when @project is set' do
-      it 'includes all possible body data elements and associates the project elements with project' do
-        project = create(:project)
+      let_it_be(:project) { create(:project, :repository) }
+      let_it_be(:user) { create(:user) }

+      before do
        assign(:project, project)
+        allow(helper).to receive(:current_user).and_return(nil)
+      end

+      it 'includes all possible body data elements and associates the project elements with project' do
+        expect(helper).to receive(:can?).with(nil, :download_code, project)
        expect(helper.body_data).to eq(
          {
            page: 'application',
@@ -302,12 +307,11 @@ describe ApplicationHelper do

        context 'when params[:id] is present and the issue exsits and action_name is show' do
          it 'sets all project and id elements correctly related to the issue' do
-            issue = create(:issue)
+            issue = create(:issue, project: project)
            stub_controller_method(:action_name, 'show')
            stub_controller_method(:params, { id: issue.id })

-            assign(:project, issue.project)
-
+            expect(helper).to receive(:can?).with(nil, :download_code, project).and_return(false)
            expect(helper.body_data).to eq(
              {
                page: 'projects:issues:show',
@@ -322,6 +326,15 @@ describe ApplicationHelper do
          end
        end
      end
+
+      context 'when current_user has download_code permission' do
+        it 'returns find_file with the default branch' do
+          allow(helper).to receive(:current_user).and_return(user)
+
+          expect(helper).to receive(:can?).with(user, :download_code, project).and_return(true)
+          expect(helper.body_data[:find_file]).to end_with(project.default_branch)
+        end
+      end
    end

    def stub_controller_method(method_name, value)