Confidential notes data leak

e90df698 · Valery Sizov · f2caad24 · e90df698 · e90df698 · e90df698
Commit e90df698 authored 8 years ago by Valery Sizov
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -11,6 +11,9 @@ v 8.9.0 (unreleased)
  - Fix issues filter when ordering by milestone
  - Todos will display target state if issuable target is 'Closed' or 'Merged'
  
+v 8.8.3
+  - In search results, only show notes on confidential issues that the user has access to
+
 v 8.8.2
  - Added remove due date button. !4209
  - Fix Error 500 when accessing application settings due to nil disabled OAuth sign-in sources. !4242

--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -80,11 +80,26 @@ class Note < ActiveRecord::Base
    # query - The search query as a String.
    #
    # Returns an ActiveRecord::Relation.
-    def search(query)
+    def search(query, user = nil)
      table   = arel_table
      pattern = "%#{query}%"
  
-      where(table[:note].matches(pattern))
+      found_notes = joins('LEFT JOIN issues ON issues.id = noteable_id').
+        where(table[:note].matches(pattern))
+
+      if user
+        found_notes.where('
+          issues.confidential IS NOT TRUE
+          OR (issues.confidential IS TRUE
+            AND (issues.author_id = :user_id
+            OR issues.assignee_id = :user_id
+            OR issues.project_id IN(:project_ids)))',
+          user_id: user.id,
+          project_ids: user.authorized_projects.select(:id)
+        )
+      else
+        found_notes.where('issues.confidential IS NOT TRUE')
+      end
    end
  
    def grouped_awards

--- a/lib/gitlab/project_search_results.rb
+++ b/lib/gitlab/project_search_results.rb
@@ -74,7 +74,7 @@ module Gitlab
    end
  
    def notes
-      project.notes.user.search(query).order('updated_at DESC')
+      project.notes.user.search(query, @current_user).order('updated_at DESC')
    end
  
    def commits

--- a/spec/models/note_spec.rb
+++ b/spec/models/note_spec.rb
@@ -111,6 +111,25 @@ describe Note, models: true do
    it 'returns notes with matching content regardless of the casing' do
      expect(described_class.search('WOW')).to eq([note])
    end
+
+    context "confidential issues" do
+      let(:user) { create :user }
+      let(:confidential_issue) { create :issue, confidential: true, author: user }
+      let(:confidential_note) { create :note, note: "Random", noteable: confidential_issue }
+
+      it "returns notes with matching content if user can see the issue" do
+        expect(described_class.search(confidential_note.note, user)).to eq([confidential_note])
+      end
+
+      it "does not return notes with matching content if user can not see the issue" do
+        user = create :user
+        expect(described_class.search(confidential_note.note, user)).to be_empty
+      end
+
+      it "does not return notes with matching content for unauthenticated users" do
+        expect(described_class.search(confidential_note.note)).to be_empty
+      end
+    end
  end
  
  describe '.grouped_awards' do