Merge branch 'security-mass-assignment-on-project-update-11-7' into '11-7-stable'

Disallow changing namespace of a project in update method See merge request gitlab/gitlabhq!3031

Merge branch 'security-mass-assignment-on-project-update-11-7' into '11-7-stable'
9426a45f · Yorick Peterse · 8ab12f76 · e70564ff · 9426a45f · 9426a45f
Commit 9426a45f authored 5 years ago by Yorick Peterse
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -46,7 +46,7 @@ class ProjectsController < Projects::ApplicationController
  end
  
  def create
-    @project = ::Projects::CreateService.new(current_user, project_params).execute
+    @project = ::Projects::CreateService.new(current_user, project_params(attributes: project_params_create_attributes)).execute
  
    if @project.saved?
      cookies[:issue_board_welcome_hidden] = { path: project_path(@project), value: nil, expires: Time.at(0) }
@@ -327,9 +327,9 @@ class ProjectsController < Projects::ApplicationController
  end
  # rubocop: enable CodeReuse/ActiveRecord
  
-  def project_params
+  def project_params(attributes: [])
    params.require(:project)
-      .permit(project_params_attributes)
+      .permit(project_params_attributes + attributes)
  end
  
  def project_params_attributes
@@ -348,11 +348,10 @@ class ProjectsController < Projects::ApplicationController
      :last_activity_at,
      :lfs_enabled,
      :name,
-      :namespace_id,
      :only_allow_merge_if_all_discussions_are_resolved,
      :only_allow_merge_if_pipeline_succeeds,
-      :printing_merge_request_link_enabled,
      :path,
+      :printing_merge_request_link_enabled,
      :public_builds,
      :request_access_enabled,
      :runners_token,
@@ -374,6 +373,10 @@ class ProjectsController < Projects::ApplicationController
    ]
  end
  
+  def project_params_create_attributes
+    [:namespace_id]
+  end
+
  def custom_import_params
    {}
  end

--- a/changelogs/unreleased/security-mass-assignment-on-project-update.yml
+++ b/changelogs/unreleased/security-mass-assignment-on-project-update.yml
+---
+title: Disallow updating namespace when updating a project
+merge_request:
+author:
+type: security
--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -369,6 +369,23 @@ describe ProjectsController do
        end
      end
  
+      it 'does not update namespace' do
+        controller.instance_variable_set(:@project, project)
+
+        params = {
+          namespace_id: 'test'
+        }
+
+        expect do
+          put :update,
+            params: {
+              namespace_id: project.namespace,
+              id: project.id,
+              project: params
+            }
+        end.not_to change { project.namespace.reload }
+      end
+
      def update_project(**parameters)
        put :update,
            params: {