Add latest changes from gitlab-org/security/gitlab@13-10-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-04-27 11:57:06 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-04-27 11:57:06 +0300
commit: ecec480cbe10cc9740d4b83147aec3bbd533ef40 (patch)
tree: e66b6529b42b2013910fd6d60c152569b47bea12 /app
parent: 8244be7ee6dc69e639b516ceefe993bd323ed310 (diff)
4 files changed, 20 insertions, 2 deletions
diff --git a/app/controllers/concerns/sessionless_authentication.rb b/app/controllers/concerns/sessionless_authentication.rb
index a9ef33bf3b9..36ba3d686af 100644
--- a/app/controllers/concerns/sessionless_authentication.rb
+++ b/app/controllers/concerns/sessionless_authentication.rb
@@ -7,11 +7,15 @@
 module SessionlessAuthentication
   # This filter handles personal access tokens, atom requests with rss tokens, and static object tokens
   def authenticate_sessionless_user!(request_format)
-    user = Gitlab::Auth::RequestAuthenticator.new(request).find_sessionless_user(request_format)
+    user = request_authenticator.find_sessionless_user(request_format)
 
     sessionless_sign_in(user) if user
   end
 
+  def request_authenticator
+    @request_authenticator ||= Gitlab::Auth::RequestAuthenticator.new(request)
+  end
+
   def sessionless_user?
     current_user && !session.key?('warden.user.user.key')
   end
diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb
index 53064041ab8..a728d5cc18b 100644
--- a/app/controllers/graphql_controller.rb
+++ b/app/controllers/graphql_controller.rb
@@ -108,7 +108,13 @@ class GraphqlController < ApplicationController
   end
 
   def context
-    @context ||= { current_user: current_user, is_sessionless_user: !!sessionless_user?, request: request }
+    api_user = !!sessionless_user?
+    @context ||= {
+      current_user: current_user,
+      is_sessionless_user: api_user,
+      request: request,
+      scope_validator: ::Gitlab::Auth::ScopeValidator.new(api_user, request_authenticator)
+    }
   end
 
   def build_variables(variable_info)
diff --git a/app/graphql/mutations/base_mutation.rb b/app/graphql/mutations/base_mutation.rb
index ac5ddc5bd4c..a53cc72d904 100644
--- a/app/graphql/mutations/base_mutation.rb
+++ b/app/graphql/mutations/base_mutation.rb
@@ -28,8 +28,12 @@ module Mutations
     end
 
     def ready?(**args)
+      auth = ::Gitlab::Graphql::Authorize::ObjectAuthorization.new(:execute_graphql_mutation, :api)
+
       if Gitlab::Database.read_only?
         raise Gitlab::Graphql::Errors::ResourceNotAvailable, ERROR_MESSAGE
+      elsif !auth.ok?(:global, current_user, scope_validator: context[:scope_validator])
+        raise_resource_not_available_error!
       else
         true
       end
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index 5ee34ebbb2f..d16c4734b2c 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -23,6 +23,7 @@ class GlobalPolicy < BasePolicy
     prevent :receive_notifications
     prevent :use_quick_actions
     prevent :create_group
+    prevent :execute_graphql_mutation
   end
 
   rule { default }.policy do
@@ -32,6 +33,7 @@ class GlobalPolicy < BasePolicy
     enable :receive_notifications
     enable :use_quick_actions
     enable :use_slash_commands
+    enable :execute_graphql_mutation
   end
 
   rule { inactive }.policy do
@@ -48,6 +50,8 @@ class GlobalPolicy < BasePolicy
     prevent :use_slash_commands
   end
 
+  rule { ~can?(:access_api) }.prevent :execute_graphql_mutation
+
   rule { blocked | (internal & ~migration_bot & ~security_bot) }.policy do
     prevent :access_git
   end
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-04-27 11:57:06 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-04-27 11:57:06 +0300
commit	ecec480cbe10cc9740d4b83147aec3bbd533ef40 (patch)
tree	e66b6529b42b2013910fd6d60c152569b47bea12 /app
parent	8244be7ee6dc69e639b516ceefe993bd323ed310 (diff)