diff options
author | Oswaldo Ferreira <oswaldo@gitlab.com> | 2019-08-20 23:36:57 +0300 |
---|---|---|
committer | Oswaldo Ferreira <oswaldo@gitlab.com> | 2019-08-21 18:23:44 +0300 |
commit | 4daf3dc0dba8be985ee7d7e3e331e0468d5a72ad (patch) | |
tree | 251a8fcb47f9497a67bcf9023cd9195a245eb9ac /spec/helpers | |
parent | 50ff074e79a67a14abdd9f5fcce8d6c7729b179f (diff) |
Avoid exposing unaccessible repo data upon GFM processing
When post-processing relative links to absolute links
RelativeLinkFilter didn't take into consideration that
internal repository data could be exposed for users
that do not have repository access to the project.
This commit solves that by checking whether the user
can `download_code` at this repository, avoiding any
processing of this filter if the user can't.
Additionally, if we're processing for a group (
no project was given), we check if the user can
read it in order to expand the href as an extra.
That doesn't seem necessarily a breach now,
but an extra check doesn't hurt as after all
the user needs to be able to `read_group`.
Diffstat (limited to 'spec/helpers')
-rw-r--r-- | spec/helpers/markup_helper_spec.rb | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/spec/helpers/markup_helper_spec.rb b/spec/helpers/markup_helper_spec.rb index f6e1720e113..1757ec8fa4d 100644 --- a/spec/helpers/markup_helper_spec.rb +++ b/spec/helpers/markup_helper_spec.rb @@ -65,6 +65,9 @@ describe MarkupHelper do describe 'inside a group' do before do + # Ensure the generated reference links aren't redacted + group.add_maintainer(user) + helper.instance_variable_set(:@group, group) helper.instance_variable_set(:@project, nil) end @@ -78,6 +81,9 @@ describe MarkupHelper do let(:project_in_group) { create(:project, group: group) } before do + # Ensure the generated reference links aren't redacted + project_in_group.add_maintainer(user) + helper.instance_variable_set(:@group, group) helper.instance_variable_set(:@project, project_in_group) end |