Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee

6 files changed, 29 insertions, 5 deletions

diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index 3d5f22faf68..8bec7599158 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -624,6 +624,7 @@ module ProjectsHelper
 
   def find_file_path
     return unless @project && !@project.empty_repo?
+    return unless can?(current_user, :download_code, @project)
 
     ref = @ref || @project.repository.root_ref
 
diff --git a/changelogs/unreleased/bug-codeowner-diffs.yml b/changelogs/unreleased/bug-codeowner-diffs.yml
new file mode 100644
index 00000000000..996628240ab
--- /dev/null
+++ b/changelogs/unreleased/bug-codeowner-diffs.yml
@@ -0,0 +1,5 @@
+---
+title: Ensure MR diff exists before codeowner check
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-branch-permissions.yml b/changelogs/unreleased/security-branch-permissions.yml
new file mode 100644
index 00000000000..6b8abe3eda6
--- /dev/null
+++ b/changelogs/unreleased/security-branch-permissions.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent unauthorized access to default branch
+merge_request:
+author:
+type: security
diff --git a/spec/helpers/application_helper_spec.rb b/spec/helpers/application_helper_spec.rb
index a67475e47a3..a96046735c8 100644
--- a/spec/helpers/application_helper_spec.rb
+++ b/spec/helpers/application_helper_spec.rb
@@ -277,11 +277,16 @@ describe ApplicationHelper do
     end
 
     context 'when @project is set' do
-      it 'includes all possible body data elements and associates the project elements with project' do
-        project = create(:project)
+      let_it_be(:project) { create(:project, :repository) }
+      let_it_be(:user) { create(:user) }
 
+      before do
         assign(:project, project)
+        allow(helper).to receive(:current_user).and_return(nil)
+      end
 
+      it 'includes all possible body data elements and associates the project elements with project' do
+        expect(helper).to receive(:can?).with(nil, :download_code, project)
         expect(helper.body_data).to eq(
           {
             page: 'application',
@@ -302,12 +307,11 @@ describe ApplicationHelper do
 
         context 'when params[:id] is present and the issue exsits and action_name is show' do
           it 'sets all project and id elements correctly related to the issue' do
-            issue = create(:issue)
+            issue = create(:issue, project: project)
             stub_controller_method(:action_name, 'show')
             stub_controller_method(:params, { id: issue.id })
 
-            assign(:project, issue.project)
-
+            expect(helper).to receive(:can?).with(nil, :download_code, project).and_return(false)
             expect(helper.body_data).to eq(
               {
                 page: 'projects:issues:show',
@@ -322,6 +326,15 @@ describe ApplicationHelper do
           end
         end
       end
+
+      context 'when current_user has download_code permission' do
+        it 'returns find_file with the default branch' do
+          allow(helper).to receive(:current_user).and_return(user)
+
+          expect(helper).to receive(:can?).with(user, :download_code, project).and_return(true)
+          expect(helper.body_data[:find_file]).to end_with(project.default_branch)
+        end
+      end
     end
 
     def stub_controller_method(method_name, value)
diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore
index 259148fa18f..259148fa18f 100755..100644
--- a/vendor/gitignore/C++.gitignore
+++ b/vendor/gitignore/C++.gitignore
diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore
index a1c2a238a96..a1c2a238a96 100755..100644
--- a/vendor/gitignore/Java.gitignore
+++ b/vendor/gitignore/Java.gitignore