Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
e36433a1
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
e36433a1
编写于
6月 03, 2020
作者:
G
GitLab Bot
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee
上级
086a9faa
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
50 addition
and
11 deletion
+50
-11
app/policies/project_policy.rb
app/policies/project_policy.rb
+1
-0
changelogs/unreleased/security-ci-job-token-has-access-to-private-files.yml
...sed/security-ci-job-token-has-access-to-private-files.yml
+5
-0
spec/policies/project_policy_spec.rb
spec/policies/project_policy_spec.rb
+44
-11
未找到文件。
app/policies/project_policy.rb
浏览文件 @
e36433a1
...
...
@@ -392,6 +392,7 @@ class ProjectPolicy < BasePolicy
rule
{
repository_disabled
}.
policy
do
prevent
:push_code
prevent
:download_code
prevent
:build_download_code
prevent
:fork_project
prevent
:read_commit_status
prevent
:read_pipeline
...
...
changelogs/unreleased/security-ci-job-token-has-access-to-private-files.yml
0 → 100644
浏览文件 @
e36433a1
---
title
:
Prevent fetching repository code with unauthorized ci token
merge_request
:
author
:
type
:
security
spec/policies/project_policy_spec.rb
浏览文件 @
e36433a1
...
...
@@ -5,6 +5,7 @@ require 'spec_helper'
describe
ProjectPolicy
do
include
ExternalAuthorizationServiceHelpers
include_context
'ProjectPolicy context'
let_it_be
(
:other_user
)
{
create
(
:user
)
}
let_it_be
(
:guest
)
{
create
(
:user
)
}
let_it_be
(
:reporter
)
{
create
(
:user
)
}
let_it_be
(
:developer
)
{
create
(
:user
)
}
...
...
@@ -161,7 +162,7 @@ describe ProjectPolicy do
subject
{
described_class
.
new
(
owner
,
project
)
}
it
'disallows all permissions when the feature is disabled'
do
project
.
project_feature
.
update
(
merge_requests_access_level:
ProjectFeature
::
DISABLED
)
project
.
project_feature
.
update
!
(
merge_requests_access_level:
ProjectFeature
::
DISABLED
)
mr_permissions
=
[
:create_merge_request_from
,
:read_merge_request
,
:update_merge_request
,
:admin_merge_request
,
...
...
@@ -213,7 +214,7 @@ describe ProjectPolicy do
subject
{
described_class
.
new
(
owner
,
project
)
}
before
do
project
.
project_feature
.
update
(
builds_access_level:
ProjectFeature
::
DISABLED
)
project
.
project_feature
.
update
!
(
builds_access_level:
ProjectFeature
::
DISABLED
)
end
it
'disallows all permissions except pipeline when the feature is disabled'
do
...
...
@@ -233,7 +234,7 @@ describe ProjectPolicy do
subject
{
described_class
.
new
(
guest
,
project
)
}
before
do
project
.
project_feature
.
update
(
builds_access_level:
ProjectFeature
::
PRIVATE
)
project
.
project_feature
.
update
!
(
builds_access_level:
ProjectFeature
::
PRIVATE
)
end
it
'disallows pipeline and commit_status permissions'
do
...
...
@@ -248,22 +249,54 @@ describe ProjectPolicy do
end
context
'repository feature'
do
subject
{
described_class
.
new
(
owner
,
project
)
}
it
'disallows all permissions when the feature is disabled'
do
project
.
project_feature
.
update
(
repository_access_level:
ProjectFeature
::
DISABLED
)
repository_permissions
=
[
let
(
:repository_permissions
)
do
[
:create_pipeline
,
:update_pipeline
,
:admin_pipeline
,
:destroy_pipeline
,
:create_build
,
:read_build
,
:update_build
,
:admin_build
,
:destroy_build
,
:create_pipeline_schedule
,
:read_pipeline_schedule
,
:update_pipeline_schedule
,
:admin_pipeline_schedule
,
:destroy_pipeline_schedule
,
:create_environment
,
:read_environment
,
:update_environment
,
:admin_environment
,
:destroy_environment
,
:create_cluster
,
:read_cluster
,
:update_cluster
,
:admin_cluster
,
:create_deployment
,
:read_deployment
,
:update_deployment
,
:admin_deployment
,
:destroy_deployment
,
:destroy_release
:destroy_release
,
:download_code
,
:build_download_code
]
end
context
'when user is a project member'
do
subject
{
described_class
.
new
(
owner
,
project
)
}
context
'when it is disabled'
do
before
do
project
.
project_feature
.
update!
(
repository_access_level:
ProjectFeature
::
DISABLED
,
merge_requests_access_level:
ProjectFeature
::
DISABLED
,
builds_access_level:
ProjectFeature
::
DISABLED
,
forking_access_level:
ProjectFeature
::
DISABLED
)
end
expect_disallowed
(
*
repository_permissions
)
it
'disallows all permissions'
do
expect_disallowed
(
*
repository_permissions
)
end
end
end
context
'when user is some other user'
do
subject
{
described_class
.
new
(
other_user
,
project
)
}
context
'when access level is private'
do
before
do
project
.
project_feature
.
update!
(
repository_access_level:
ProjectFeature
::
PRIVATE
,
merge_requests_access_level:
ProjectFeature
::
PRIVATE
,
builds_access_level:
ProjectFeature
::
PRIVATE
,
forking_access_level:
ProjectFeature
::
PRIVATE
)
end
it
'disallows all permissions'
do
expect_disallowed
(
*
repository_permissions
)
end
end
end
end
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录