From 9622eec0ad8aea23e780c1a7efa73ff078a482da Mon Sep 17 00:00:00 2001
From: Robert Speicher <robert@gitlab.com>
Date: Mon, 25 Apr 2016 21:10:18 +0000
Subject: Merge branch '15591-fix-project-leak-in-new-mr-view' into 'master'

Prevent information disclosure via new merge request page

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15591.

See merge request !1963
---
 app/services/merge_requests/build_service.rb       |  3 +++
 spec/features/merge_requests/create_new_mr_spec.rb | 23 ++++++++++++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 spec/features/merge_requests/create_new_mr_spec.rb

diff --git a/app/services/merge_requests/build_service.rb b/app/services/merge_requests/build_service.rb
index 6e9152e444e..68916e1f789 100644
--- a/app/services/merge_requests/build_service.rb
+++ b/app/services/merge_requests/build_service.rb
@@ -7,6 +7,9 @@ module MergeRequests
       merge_request.can_be_created = false
       merge_request.compare_commits = []
       merge_request.source_project = project unless merge_request.source_project
+
+      merge_request.target_project = nil unless can?(current_user, :read_project, merge_request.target_project)
+
       merge_request.target_project ||= (project.forked_from_project || project)
       merge_request.target_branch ||= merge_request.target_project.default_branch
 
diff --git a/spec/features/merge_requests/create_new_mr_spec.rb b/spec/features/merge_requests/create_new_mr_spec.rb
new file mode 100644
index 00000000000..f2dd2c56d1e
--- /dev/null
+++ b/spec/features/merge_requests/create_new_mr_spec.rb
@@ -0,0 +1,23 @@
+require 'spec_helper'
+
+feature 'Create New Merge Request', feature: true, js: true do
+  let(:user) { create(:user) }
+  let(:project) { create(:project, :public) }
+
+  before do
+    project.team << [user, :master]
+
+    login_as user
+    visit namespace_project_merge_requests_path(project.namespace, project)
+  end
+
+  context 'when target project cannot be viewed by the current user' do
+    it 'does not leak the private project name & namespace' do
+      private_project = create(:project, :private)
+
+      visit new_namespace_project_merge_request_path(project.namespace, project, merge_request: { target_project_id: private_project.id })
+
+      expect(page).not_to have_content private_project.to_reference
+    end
+  end
+end
-- 
cgit v1.2.1