Skip to content
Snippets Groups Projects
Commit f597db2e authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot
Browse files

Merge branch 'security-id-fix-disclosure-of-private-repo-names-12-2' into '12-2-stable' 

Return 404 on LFS request if project doesn't exist

See merge request gitlab/gitlabhq!3508
parents 8be63680 449910c8
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
app/controllers/concerns/lfs_request.rb
+ 1
0
View file @ f597db2e
@@ -34,6 +34,7 @@ module LfsRequest
end
 
def lfs_check_access!
return render_lfs_not_found unless project
return if download_request? && lfs_download_access?
return if upload_request? && lfs_upload_access?
 
changelogs/unreleased/security-id-fix-disclosure-of-private-repo-names.yml 0 → 100644
+ 5
0
View file @ f597db2e
---
title: Return 404 on LFS request if project doesn't exist
merge_request:
author:
type: security
spec/controllers/concerns/lfs_request_spec.rb
+ 42
1
View file @ f597db2e
@@ -16,13 +16,17 @@ describe LfsRequest do
end
 
def project
@project ||= Project.find(params[:id])
@project ||= Project.find_by(id: params[:id])
end
 
def download_request?
true
end
 
def upload_request?
false
end
def ci?
false
end
@@ -49,4 +53,41 @@ describe LfsRequest do
expect(assigns(:storage_project)).to eq(project)
end
end
context 'user is authenticated without access to lfs' do
before do
allow(controller).to receive(:authenticate_user)
allow(controller).to receive(:authentication_result) do
Gitlab::Auth::Result.new
end
end
context 'with access to the project' do
it 'returns 403' do
get :show, params: { id: project.id }
expect(response.status).to eq(403)
end
end
context 'without access to the project' do
context 'project does not exist' do
it 'returns 404' do
get :show, params: { id: 'does not exist' }
expect(response.status).to eq(404)
end
end
context 'project is private' do
let(:project) { create(:project, :private) }
it 'returns 404' do
get :show, params: { id: project.id }
expect(response.status).to eq(404)
end
end
end
end
end
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment