diff options
| author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-06-26 21:40:58 +0000 |
|---|---|---|
| committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-06-26 21:40:58 +0000 |
| commit | 87c6c8dabc402c4692e426d48d58febd4994be7f (patch) | |
| tree | 1f8e30cf458abeeec39d7327c4f44066b6daf826 /app | |
| parent | 3807840db3c78d21fd3b38d62ad30e568970936e (diff) | |
| parent | cf8fc36815e9522290ce1f082cd107bd1d5470b2 (diff) | |
| download | gitlab-ce-87c6c8dabc402c4692e426d48d58febd4994be7f.tar.gz | |
Merge branch 'security-prevent-detection-of-merge-request-template-name-12-0' into '12-0-stable'
Guests can know whether merge request template name exists or not
See merge request gitlab/gitlabhq!3161
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/projects/application_controller.rb | 5 | ||||
| -rw-r--r-- | app/controllers/projects/templates_controller.rb | 17 |
2 files changed, 20 insertions, 2 deletions
diff --git a/app/controllers/projects/application_controller.rb b/app/controllers/projects/application_controller.rb index 80e4f54bbf4..910bb819df6 100644 --- a/app/controllers/projects/application_controller.rb +++ b/app/controllers/projects/application_controller.rb @@ -12,6 +12,11 @@ class Projects::ApplicationController < ApplicationController helper_method :repository, :can_collaborate_with_project?, :user_access + rescue_from Gitlab::Template::Finders::RepoTemplateFinder::FileNotFoundError do |exception| + log_exception(exception) + render_404 + end + private def project diff --git a/app/controllers/projects/templates_controller.rb b/app/controllers/projects/templates_controller.rb index 7ceea4e5b96..f987033a26c 100644 --- a/app/controllers/projects/templates_controller.rb +++ b/app/controllers/projects/templates_controller.rb @@ -1,7 +1,9 @@ # frozen_string_literal: true class Projects::TemplatesController < Projects::ApplicationController - before_action :authenticate_user!, :get_template_class + before_action :authenticate_user! + before_action :authorize_can_read_issuable! + before_action :get_template_class def show template = @template_type.find(params[:key], project) @@ -13,9 +15,20 @@ class Projects::TemplatesController < Projects::ApplicationController private + # User must have: + # - `read_merge_request` to see merge request templates, or + # - `read_issue` to see issue templates + # + # Note params[:template_type] has a route constraint to limit it to + # `merge_request` or `issue` + def authorize_can_read_issuable! + action = [:read_, params[:template_type]].join + + authorize_action!(action) + end + def get_template_class template_types = { issue: Gitlab::Template::IssueTemplate, merge_request: Gitlab::Template::MergeRequestTemplate }.with_indifferent_access @template_type = template_types[params[:template_type]] - render json: [], status: :not_found unless @template_type end end |