Merge branch 'project-existence-leak' into 'master'

Don't leak information about private project existence via Git-over-SSH/HTTP. Fixes #2040 and https://gitlab.com/gitlab-org/gitlab-ce/issues/343. Both `Grack::Auth` (used by Git-over-HTTP) and `Api::Internal /allowed` (used by gitlab-shell/Git-over-SSH) now return a generic "Not Found" error when the project exists but the user doesn't have access to it. See merge request !1578
author: Dmitriy Zaporozhets <dzaporozhets@gitlab.com> 2015-03-03 20:05:12 +0000
committer: Dmitriy Zaporozhets <dzaporozhets@gitlab.com> 2015-03-03 20:05:12 +0000
commit: 8c47a72a4ed3df2327104e029307b5d804525886 (patch)
tree: 37070b999e2aa5dc6cbfdf14209575716d9e86af /lib/api
parent: a7fad44bd361c68c6f4ff0fbeb5ad067ef2b74b1 (diff)
parent: 0e11be40c39df66859ae0f3dc265cd903820c153 (diff)
download: gitlab-ce-8c47a72a4ed3df2327104e029307b5d804525886.tar.gz
1 files changed, 22 insertions, 17 deletions
diff --git a/lib/api/internal.rb b/lib/api/internal.rb
index ba3fe619b92..753d0fcbd98 100644
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -16,6 +16,17 @@ module API
       #
       post "/allowed" do
         status 200
+
+        actor = if params[:key_id]
+                  Key.find_by(id: params[:key_id])
+                elsif params[:user_id]
+                  User.find_by(id: params[:user_id])
+                end
+
+        unless actor
+          return Gitlab::GitAccessStatus.new(false, 'No such user or key')
+        end
+
         project_path = params[:project]
 
         # Check for *.wiki repositories.
@@ -32,26 +43,20 @@ module API
 
         project = Project.find_with_namespace(project_path)
 
-        unless project
-          return Gitlab::GitAccessStatus.new(false, 'No such project')
+        if project
+          status = access.check(
+            actor,
+            params[:action],
+            project,
+            params[:changes]
+          )
         end
 
-        actor = if params[:key_id]
-                  Key.find_by(id: params[:key_id])
-                elsif params[:user_id]
-                  User.find_by(id: params[:user_id])
-                end
-
-        unless actor
-          return Gitlab::GitAccessStatus.new(false, 'No such user or key')
+        if project && status && status.allowed?
+          status
+        else
+          Gitlab::GitAccessStatus.new(false, 'No such project')
         end
-
-        access.check(
-          actor,
-          params[:action],
-          project,
-          params[:changes]
-        )
       end
 
       #
author	Dmitriy Zaporozhets <dzaporozhets@gitlab.com>	2015-03-03 20:05:12 +0000
committer	Dmitriy Zaporozhets <dzaporozhets@gitlab.com>	2015-03-03 20:05:12 +0000
commit	8c47a72a4ed3df2327104e029307b5d804525886 (patch)
tree	37070b999e2aa5dc6cbfdf14209575716d9e86af /lib/api
parent	a7fad44bd361c68c6f4ff0fbeb5ad067ef2b74b1 (diff)
parent	0e11be40c39df66859ae0f3dc265cd903820c153 (diff)
download	gitlab-ce-8c47a72a4ed3df2327104e029307b5d804525886.tar.gz