Merge branch 'security-tags-oracle-11-8' into '11-8-stable'

Prevent Releases links API to leak tag existence See merge request gitlab/gitlabhq!2908

Merge branch 'security-tags-oracle-11-8' into '11-8-stable'
cefed976 · Yorick Peterse · 5ba20d39 · d91ac3c2 · cefed976 · cefed976
Commit cefed976 authored 6 years ago by Yorick Peterse
--- a/changelogs/unreleased/security-tags-oracle.yml
+++ b/changelogs/unreleased/security-tags-oracle.yml
+---
+title: Prevent releases links API to leak tag existance
+merge_request:
+author:
+type: security
--- a/lib/api/release/links.rb
+++ b/lib/api/release/links.rb
@@ -8,6 +8,8 @@ module API
      RELEASE_ENDPOINT_REQUIREMETS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS
        .merge(tag_name: API::NO_SLASH_URL_PART_REGEX)
  
+      before { authorize! :read_release, user_project }
+
      params do
        requires :id, type: String, desc: 'The ID of a project'
      end

--- a/spec/requests/api/release/links_spec.rb
+++ b/spec/requests/api/release/links_spec.rb
@@ -73,6 +73,22 @@ describe API::Release::Links do
          expect(response).to have_gitlab_http_status(:ok)
        end
      end
+
+      context 'when project is public and the repository is private' do
+        let(:project) { create(:project, :repository, :public, :repository_private) }
+
+        it_behaves_like '403 response' do
+          let(:request) { get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member) }
+        end
+
+        context 'when the release does not exists' do
+          let!(:release) { }
+
+          it_behaves_like '403 response' do
+            let(:request) { get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member) }
+          end
+        end
+      end
    end
  end