Merge branch 'rs-notes-privilege-escalation' into 'master'

Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577 See merge request !1964
author: Robert Speicher <robert@gitlab.com> 2016-04-26 22:45:41 +0300
committer: Robert Speicher <rspeicher@gmail.com> 2016-04-26 23:31:48 +0300
commit: 076632f170271ad08e7be1aaaf5a1cb63a0c639f (patch)
tree: 1d8344f38d81dc7a0effc97af2b48fb2fca6f9cf /app
parent: 23bc10ec7910a6d4e428f0c7fc0e5ef8fc96d24d (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/app/services/notes/create_service.rb b/app/services/notes/create_service.rb
index a8486e6a5a1..5e2eb5dc21e 100644
--- a/app/services/notes/create_service.rb
+++ b/app/services/notes/create_service.rb
@@ -5,6 +5,8 @@ module Notes
       note.author = current_user
       note.system = false
 
+      return unless valid_project?(note)
+
       if note.save
         notification_service.new_note(note)
 
@@ -28,5 +30,14 @@ module Notes
       note.project.execute_hooks(note_data, :note_hooks)
       note.project.execute_services(note_data, :note_hooks)
     end
+
+    private
+
+    def valid_project?(note)
+      return false unless project
+      return true if note.for_commit?
+
+      note.noteable.try(:project) == project
+    end
   end
 end
author	Robert Speicher <robert@gitlab.com>	2016-04-26 22:45:41 +0300
committer	Robert Speicher <rspeicher@gmail.com>	2016-04-26 23:31:48 +0300
commit	076632f170271ad08e7be1aaaf5a1cb63a0c639f (patch)
tree	1d8344f38d81dc7a0effc97af2b48fb2fca6f9cf /app
parent	23bc10ec7910a6d4e428f0c7fc0e5ef8fc96d24d (diff)