Merge branch 'security-id-fix-disclosure-of-private-repo-names-12-2' into '12-2-stable'

Return 404 on LFS request if project doesn't exist See merge request gitlab/gitlabhq!3508

Merge branch 'security-id-fix-disclosure-of-private-repo-names-12-2' into '12-2-stable'
Return 404 on LFS request if project doesn't exist See merge request gitlab/gitlabhq!3508
f597db2e · GitLab Release Tools Bot · 8be63680 · 449910c8 · f597db2e · f597db2e
3 changed file
--- a/app/controllers/concerns/lfs_request.rb
+++ b/app/controllers/concerns/lfs_request.rb
@@ -34,6 +34,7 @@ module LfsRequest
  end

  def lfs_check_access!
+    return render_lfs_not_found unless project
    return if download_request? && lfs_download_access?
    return if upload_request? && lfs_upload_access?


--- a/changelogs/unreleased/security-id-fix-disclosure-of-private-repo-names.yml
+++ b/changelogs/unreleased/security-id-fix-disclosure-of-private-repo-names.yml
+---
+title: Return 404 on LFS request if project doesn't exist
+merge_request:
+author:
+type: security
--- a/spec/controllers/concerns/lfs_request_spec.rb
+++ b/spec/controllers/concerns/lfs_request_spec.rb
@@ -16,13 +16,17 @@ describe LfsRequest do
    end

    def project
-      @project ||= Project.find(params[:id])
+      @project ||= Project.find_by(id: params[:id])
    end

    def download_request?
      true
    end

+    def upload_request?
+      false
+    end
+
    def ci?
      false
    end
@@ -49,4 +53,41 @@ describe LfsRequest do
      expect(assigns(:storage_project)).to eq(project)
    end
  end
+
+  context 'user is authenticated without access to lfs' do
+    before do
+      allow(controller).to receive(:authenticate_user)
+      allow(controller).to receive(:authentication_result) do
+        Gitlab::Auth::Result.new
+      end
+    end
+
+    context 'with access to the project' do
+      it 'returns 403' do
+        get :show, params: { id: project.id }
+
+        expect(response.status).to eq(403)
+      end
+    end
+
+    context 'without access to the project' do
+      context 'project does not exist' do
+        it 'returns 404' do
+          get :show, params: { id: 'does not exist' }
+
+          expect(response.status).to eq(404)
+        end
+      end
+
+      context 'project is private' do
+        let(:project) { create(:project, :private) }
+
+        it 'returns 404' do
+          get :show, params: { id: project.id }
+
+          expect(response.status).to eq(404)
+        end
+      end
+    end
+  end
 end