Merge branch 'jej-group-name-disclosure' into 'security'

Prevent private group disclosure via parent_id See merge request !2077
gitlabhq · Mar 30, 2017 · 91f4358 · 91f4358
1 parent 60c0c0f
commit 91f4358
Show file tree

Hide file tree

Showing 6 changed files with 54 additions and 1 deletion.
diff --git a/app/finders/group_finder.rb b/app/finders/group_finder.rb
@@ -0,0 +1,17 @@
+class GroupFinder
+  include Gitlab::Allowable
+
+  def initialize(current_user)
+    @current_user = current_user
+  end
+
+  def execute(*params)
+    group = Group.find_by(*params)
+
+    if can?(@current_user, :read_group, group)
+      group
+    else
+      nil
+    end
+  end
+end
diff --git a/app/services/groups/update_service.rb b/app/services/groups/update_service.rb
@@ -1,6 +1,8 @@
 module Groups
   class UpdateService < Groups::BaseService
     def execute
+      reject_parent_id!
+
       # check that user is allowed to set specified visibility_level
       new_visibility = params[:visibility_level]
       if new_visibility && new_visibility.to_i != group.visibility_level
@@ -22,5 +24,11 @@ def execute
         false
       end
     end
+
+    private
+
+    def reject_parent_id!
+      params.except!(:parent_id)
+    end
   end
 end
diff --git a/app/views/shared/_group_form.html.haml b/app/views/shared/_group_form.html.haml
@@ -1,4 +1,4 @@
-- parent = Group.find_by(id: params[:parent_id] || @group.parent_id)
+- parent = GroupFinder.new(current_user).execute(id: params[:parent_id] || @group.parent_id)
 - group_path = root_url
 - group_path << parent.full_path + '/' if parent
 - if @group.persisted?

diff --git a/changelogs/unreleased/jej-group-name-disclosure.yml b/changelogs/unreleased/jej-group-name-disclosure.yml
@@ -0,0 +1,4 @@
+---
+title: Fixed private group name disclosure via new/update forms
+merge_request:
+author:
diff --git a/spec/features/groups_spec.rb b/spec/features/groups_spec.rb
@@ -100,6 +100,16 @@
     end
   end
 
+  it 'checks permissions to avoid exposing groups by parent_id' do
+    group = create(:group, :private, path: 'secret-group')
+
+    logout
+    login_as(:user)
+    visit new_group_path(parent_id: group.id)
+
+    expect(page).not_to have_content('secret-group')
+  end
+
   describe 'group edit' do
     let(:group) { create(:group) }
     let(:path)  { edit_group_path(group) }

diff --git a/spec/services/groups/update_service_spec.rb b/spec/services/groups/update_service_spec.rb
@@ -36,6 +36,20 @@
         end
       end
     end
+
+    context "with parent_id user doesn't have permissions for" do
+      let(:service) { described_class.new(public_group, user, parent_id: private_group.id) }
+
+      before do
+        service.execute
+      end
+
+      it 'does not update parent_id' do
+        updated_group = public_group.reload
+
+        expect(updated_group.parent_id).to be_nil
+      end
+    end
   end
 
   context "unauthorized visibility_level validation" do