Skip to content
Snippets Groups Projects
Verified Commit 1e6765db authored by Nick Thomas's avatar Nick Thomas
Browse files

Send TODOs for comments on commits correctly 

At present, the TodoService uses the `:read_project` ability to decide
whether a user can read a note on a commit. However, commits can have a
visibility level that is more restricted than the project, so this is a
security issue.

This commit changes the code to use the `:read_commit` ability in this
case instead, which ensures TODOs are only generated for commit notes
if the users can see the commit.
parent bef9aef4
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
app/services/todo_service.rb
+ 2
4
View file @ 1e6765db
@@ -314,11 +314,9 @@ class TodoService
end
 
def reject_users_without_access(users, parent, target)
if target.is_a?(Note) && target.for_issuable?
target = target.noteable
end
target = target.noteable if target.is_a?(Note)
 
if target.is_a?(Issuable)
if target.respond_to?(:to_ability_name)
select_users(users, :"read_#{target.to_ability_name}", target)
else
select_users(users, :read_project, parent)
changelogs/unreleased/security-64711-fix-commit-todos.yml 0 → 100644
+ 5
0
View file @ 1e6765db
---
title: Send TODOs for comments on commits correctly
merge_request:
author:
type: security
spec/services/todo_service_spec.rb
+ 105
16
View file @ 1e6765db
@@ -436,25 +436,114 @@ describe TodoService do
should_create_todo(user: john_doe, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue)
end
 
context 'on commit' do
let(:project) { create(:project, :repository) }
it 'creates a todo for each valid mentioned user when leaving a note on commit' do
service.new_note(note_on_commit, john_doe)
should_create_todo(user: member, target_id: nil, target_type: 'Commit', commit_id: note_on_commit.commit_id, author: john_doe, action: Todo::MENTIONED, note: note_on_commit)
should_create_todo(user: author, target_id: nil, target_type: 'Commit', commit_id: note_on_commit.commit_id, author: john_doe, action: Todo::MENTIONED, note: note_on_commit)
should_create_todo(user: john_doe, target_id: nil, target_type: 'Commit', commit_id: note_on_commit.commit_id, author: john_doe, action: Todo::MENTIONED, note: note_on_commit)
should_not_create_todo(user: non_member, target_id: nil, target_type: 'Commit', commit_id: note_on_commit.commit_id, author: john_doe, action: Todo::MENTIONED, note: note_on_commit)
context 'commits' do
let(:base_commit_todo_attrs) { { target_id: nil, target_type: 'Commit', author: john_doe } }
context 'leaving a note on a commit in a public project' do
let(:project) { create(:project, :repository, :public) }
it 'creates a todo for each valid mentioned user' do
expected_todo = base_commit_todo_attrs.merge(
action: Todo::MENTIONED,
note: note_on_commit,
commit_id: note_on_commit.commit_id
)
service.new_note(note_on_commit, john_doe)
should_create_todo(expected_todo.merge(user: member))
should_create_todo(expected_todo.merge(user: author))
should_create_todo(expected_todo.merge(user: john_doe))
should_create_todo(expected_todo.merge(user: guest))
should_create_todo(expected_todo.merge(user: non_member))
end
it 'creates a directly addressed todo for each valid mentioned user' do
expected_todo = base_commit_todo_attrs.merge(
action: Todo::DIRECTLY_ADDRESSED,
note: addressed_note_on_commit,
commit_id: addressed_note_on_commit.commit_id
)
service.new_note(addressed_note_on_commit, john_doe)
should_create_todo(expected_todo.merge(user: member))
should_create_todo(expected_todo.merge(user: author))
should_create_todo(expected_todo.merge(user: john_doe))
should_create_todo(expected_todo.merge(user: guest))
should_create_todo(expected_todo.merge(user: non_member))
end
end
 
it 'creates a directly addressed todo for each valid mentioned user when leaving a note on commit' do
service.new_note(addressed_note_on_commit, john_doe)
context 'leaving a note on a commit in a public project with private code' do
let(:project) { create(:project, :repository, :public, :repository_private) }
it 'creates a todo for each valid mentioned user' do
expected_todo = base_commit_todo_attrs.merge(
action: Todo::MENTIONED,
note: note_on_commit,
commit_id: note_on_commit.commit_id
)
service.new_note(note_on_commit, john_doe)
should_create_todo(expected_todo.merge(user: member))
should_create_todo(expected_todo.merge(user: author))
should_create_todo(expected_todo.merge(user: john_doe))
should_create_todo(expected_todo.merge(user: guest))
should_not_create_todo(expected_todo.merge(user: non_member))
end
it 'creates a directly addressed todo for each valid mentioned user' do
expected_todo = base_commit_todo_attrs.merge(
action: Todo::DIRECTLY_ADDRESSED,
note: addressed_note_on_commit,
commit_id: addressed_note_on_commit.commit_id
)
service.new_note(addressed_note_on_commit, john_doe)
should_create_todo(expected_todo.merge(user: member))
should_create_todo(expected_todo.merge(user: author))
should_create_todo(expected_todo.merge(user: john_doe))
should_create_todo(expected_todo.merge(user: guest))
should_not_create_todo(expected_todo.merge(user: non_member))
end
end
 
should_create_todo(user: member, target_id: nil, target_type: 'Commit', commit_id: addressed_note_on_commit.commit_id, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_commit)
should_create_todo(user: author, target_id: nil, target_type: 'Commit', commit_id: addressed_note_on_commit.commit_id, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_commit)
should_create_todo(user: john_doe, target_id: nil, target_type: 'Commit', commit_id: addressed_note_on_commit.commit_id, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_commit)
should_not_create_todo(user: non_member, target_id: nil, target_type: 'Commit', commit_id: addressed_note_on_commit.commit_id, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_commit)
context 'leaving a note on a commit in a private project' do
let(:project) { create(:project, :repository, :private) }
it 'creates a todo for each valid mentioned user' do
expected_todo = base_commit_todo_attrs.merge(
action: Todo::MENTIONED,
note: note_on_commit,
commit_id: note_on_commit.commit_id
)
service.new_note(note_on_commit, john_doe)
should_create_todo(expected_todo.merge(user: member))
should_create_todo(expected_todo.merge(user: author))
should_create_todo(expected_todo.merge(user: john_doe))
should_not_create_todo(expected_todo.merge(user: guest))
should_not_create_todo(expected_todo.merge(user: non_member))
end
it 'creates a directly addressed todo for each valid mentioned user' do
expected_todo = base_commit_todo_attrs.merge(
action: Todo::DIRECTLY_ADDRESSED,
note: addressed_note_on_commit,
commit_id: addressed_note_on_commit.commit_id
)
service.new_note(addressed_note_on_commit, john_doe)
should_create_todo(expected_todo.merge(user: member))
should_create_todo(expected_todo.merge(user: author))
should_create_todo(expected_todo.merge(user: john_doe))
should_not_create_todo(expected_todo.merge(user: guest))
should_not_create_todo(expected_todo.merge(user: non_member))
end
end
end
 
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment