Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
c01ad00e
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
c01ad00e
编写于
9月 18, 2019
作者:
A
Alexandru Croitor
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Add policy check if cross reference system notes are accessible
上级
0be35b49
变更
5
隐藏空白更改
内联
并排
Showing
5 changed file
with
178 addition
and
0 deletion
+178
-0
app/models/discussion.rb
app/models/discussion.rb
+1
-0
app/policies/note_policy.rb
app/policies/note_policy.rb
+9
-0
changelogs/unreleased/security-12630-private-system-note-disclosed-in-graphql.yml
...curity-12630-private-system-note-disclosed-in-graphql.yml
+6
-0
spec/graphql/types/issue_type_spec.rb
spec/graphql/types/issue_type_spec.rb
+79
-0
spec/policies/note_policy_spec.rb
spec/policies/note_policy_spec.rb
+83
-0
未找到文件。
app/models/discussion.rb
浏览文件 @
c01ad00e
...
...
@@ -18,6 +18,7 @@ class Discussion
:for_merge_request?
,
:to_ability_name
,
:editable?
,
:visible_for?
,
to: :first_note
...
...
app/policies/note_policy.rb
浏览文件 @
c01ad00e
...
...
@@ -11,6 +11,8 @@ class NotePolicy < BasePolicy
condition
(
:can_read_noteable
)
{
can?
(
:"read_
#{
@subject
.
to_ability_name
}
"
)
}
condition
(
:is_visible
)
{
@subject
.
visible_for?
(
@user
)
}
rule
{
~
editable
}.
prevent
:admin_note
# If user can't read the issue/MR/etc then they should not be allowed to do anything to their own notes
...
...
@@ -27,6 +29,13 @@ class NotePolicy < BasePolicy
enable
:resolve_note
end
rule
{
~
is_visible
}.
policy
do
prevent
:read_note
prevent
:admin_note
prevent
:resolve_note
prevent
:award_emoji
end
rule
{
is_noteable_author
}.
policy
do
enable
:resolve_note
end
...
...
changelogs/unreleased/security-12630-private-system-note-disclosed-in-graphql.yml
0 → 100644
浏览文件 @
c01ad00e
---
title
:
Add a policy check for system notes that may not be visible due to cross references
to private items
merge_request
:
author
:
type
:
security
spec/graphql/types/issue_type_spec.rb
浏览文件 @
c01ad00e
...
...
@@ -17,4 +17,83 @@ describe GitlabSchema.types['Issue'] do
expect
(
described_class
).
to
have_graphql_field
(
field_name
)
end
end
describe
"issue notes"
do
let
(
:user
)
{
create
(
:user
)
}
let
(
:project
)
{
create
(
:project
,
:public
)
}
let
(
:issue
)
{
create
(
:issue
,
project:
project
)
}
let
(
:confidential_issue
)
{
create
(
:issue
,
:confidential
,
project:
project
)
}
let
(
:private_note_body
)
{
"mentioned in issue
#{
confidential_issue
.
to_reference
(
project
)
}
"
}
let!
(
:note1
)
{
create
(
:note
,
system:
true
,
noteable:
issue
,
author:
user
,
project:
project
,
note:
private_note_body
)
}
let!
(
:note2
)
{
create
(
:note
,
system:
true
,
noteable:
issue
,
author:
user
,
project:
project
,
note:
'public note'
)
}
let
(
:query
)
do
%(
query {
project(fullPath:"#{project.full_path}"){
issue(iid:"#{issue.iid}"){
descriptionHtml
notes{
edges{
node{
bodyHtml
author{
username
}
body
}
}
}
}
}
}
)
end
context
'query issue notes'
do
subject
{
GitlabSchema
.
execute
(
query
,
context:
{
current_user:
current_user
}).
as_json
}
shared_examples_for
'does not include private notes'
do
it
"does not return private notes"
do
notes
=
subject
.
dig
(
"data"
,
"project"
,
"issue"
,
"notes"
,
'edges'
)
notes_body
=
notes
.
map
{
|
n
|
n
.
dig
(
'node'
,
'body'
)}
expect
(
notes
.
size
).
to
eq
1
expect
(
notes_body
).
not_to
include
(
private_note_body
)
expect
(
notes_body
).
to
include
(
'public note'
)
end
end
shared_examples_for
'includes private notes'
do
it
"returns all notes"
do
notes
=
subject
.
dig
(
"data"
,
"project"
,
"issue"
,
"notes"
,
'edges'
)
notes_body
=
notes
.
map
{
|
n
|
n
.
dig
(
'node'
,
'body'
)}
expect
(
notes
.
size
).
to
eq
2
expect
(
notes_body
).
to
include
(
private_note_body
)
expect
(
notes_body
).
to
include
(
'public note'
)
end
end
context
'when user signed in'
do
let
(
:current_user
)
{
user
}
it_behaves_like
'does not include private notes'
context
'when user member of the project'
do
before
do
project
.
add_developer
(
user
)
end
it_behaves_like
'includes private notes'
end
end
context
'when user is anonymous'
do
let
(
:current_user
)
{
nil
}
it_behaves_like
'does not include private notes'
end
end
end
end
spec/policies/note_policy_spec.rb
浏览文件 @
c01ad00e
...
...
@@ -152,6 +152,89 @@ describe NotePolicy do
it_behaves_like
'a discussion with a private noteable'
end
end
context
'when it is a system note'
do
let
(
:developer
)
{
create
(
:user
)
}
let
(
:any_user
)
{
create
(
:user
)
}
shared_examples_for
'user can read the note'
do
it
'allows the user to read the note'
do
expect
(
policy
).
to
be_allowed
(
:read_note
)
end
end
shared_examples_for
'user can act on the note'
do
it
'allows the user to read the note'
do
expect
(
policy
).
not_to
be_allowed
(
:admin_note
)
expect
(
policy
).
to
be_allowed
(
:resolve_note
)
expect
(
policy
).
to
be_allowed
(
:award_emoji
)
end
end
shared_examples_for
'user cannot read or act on the note'
do
it
'allows user to read the note'
do
expect
(
policy
).
not_to
be_allowed
(
:admin_note
)
expect
(
policy
).
not_to
be_allowed
(
:resolve_note
)
expect
(
policy
).
not_to
be_allowed
(
:read_note
)
expect
(
policy
).
not_to
be_allowed
(
:award_emoji
)
end
end
context
'when noteable is a public issue'
do
let
(
:note
)
{
create
(
:note
,
system:
true
,
noteable:
noteable
,
author:
user
,
project:
project
)
}
before
do
project
.
add_developer
(
developer
)
end
context
'when user is project member'
do
let
(
:policy
)
{
described_class
.
new
(
developer
,
note
)
}
it_behaves_like
'user can read the note'
it_behaves_like
'user can act on the note'
end
context
'when user is not project member'
do
let
(
:policy
)
{
described_class
.
new
(
any_user
,
note
)
}
it_behaves_like
'user can read the note'
end
context
'when user is anonymous'
do
let
(
:policy
)
{
described_class
.
new
(
nil
,
note
)
}
it_behaves_like
'user can read the note'
end
end
context
'when it is a system note referencing a confidential issue'
do
let
(
:confidential_issue
)
{
create
(
:issue
,
:confidential
,
project:
project
)
}
let
(
:note
)
{
create
(
:note
,
system:
true
,
noteable:
issue
,
author:
user
,
project:
project
,
note:
"mentioned in issue
#{
confidential_issue
.
to_reference
(
project
)
}
"
)
}
before
do
project
.
add_developer
(
developer
)
end
context
'when user is project member'
do
let
(
:policy
)
{
described_class
.
new
(
developer
,
note
)
}
it_behaves_like
'user can read the note'
it_behaves_like
'user can act on the note'
end
context
'when user is not project member'
do
let
(
:policy
)
{
described_class
.
new
(
any_user
,
note
)
}
it_behaves_like
'user cannot read or act on the note'
end
context
'when user is anonymous'
do
let
(
:policy
)
{
described_class
.
new
(
nil
,
note
)
}
it_behaves_like
'user cannot read or act on the note'
end
end
end
end
end
end
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录