Prevent privilege escalation via notes API

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577
author: Robert Speicher <rspeicher@gmail.com> 2016-04-26 19:55:38 +0300
committer: Robert Speicher <rspeicher@gmail.com> 2016-04-26 21:40:51 +0300
commit: be67a4843cc37790402404650cb96a6f02552b54 (patch)
tree: 795a8c1e33276c42a0b7fcb37cddf31477030353 /spec/requests/api/notes_spec.rb
parent: 2f5394f5d640944a4efac9d89fcbdbcf79803f01 (diff)
1 files changed, 31 insertions, 10 deletions
diff --git a/spec/requests/api/notes_spec.rb b/spec/requests/api/notes_spec.rb
index ec9eda0a2ed..49091fc0f49 100644
--- a/spec/requests/api/notes_spec.rb
+++ b/spec/requests/api/notes_spec.rb
@@ -3,7 +3,7 @@ require 'spec_helper'
 describe API::API, api: true  do
   include ApiHelpers
   let(:user) { create(:user) }
-  let!(:project) { create(:project, namespace: user.namespace ) }
+  let!(:project) { create(:project, namespace: user.namespace) }
   let!(:issue) { create(:issue, project: project, author: user) }
   let!(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: user) }
   let!(:snippet) { create(:project_snippet, project: project, author: user) }
@@ -45,7 +45,7 @@ describe API::API, api: true  do
       end
 
       it "should return a 404 error when issue id not found" do
-        get api("/projects/#{project.id}/issues/123/notes", user)
+        get api("/projects/#{project.id}/issues/12345/notes", user)
         expect(response.status).to eq(404)
       end
 
@@ -106,7 +106,7 @@ describe API::API, api: true  do
       end
 
       it "should return a 404 error if issue note not found" do
-        get api("/projects/#{project.id}/issues/#{issue.id}/notes/123", user)
+        get api("/projects/#{project.id}/issues/#{issue.id}/notes/12345", user)
         expect(response.status).to eq(404)
       end
 
@@ -134,7 +134,7 @@ describe API::API, api: true  do
       end
 
       it "should return a 404 error if snippet note not found" do
-        get api("/projects/#{project.id}/snippets/#{snippet.id}/notes/123", user)
+        get api("/projects/#{project.id}/snippets/#{snippet.id}/notes/12345", user)
         expect(response.status).to eq(404)
       end
     end
@@ -191,6 +191,27 @@ describe API::API, api: true  do
         expect(response.status).to eq(401)
       end
     end
+
+    context 'when user does not have access to create noteable' do
+      let(:private_issue) { create(:issue, project: create(:project, :private)) }
+
+      ##
+      # We are posting to project user has access to, but we use issue id
+      # from a different project, see #15577
+      #
+      before do
+        post api("/projects/#{project.id}/issues/#{private_issue.id}/notes", user),
+             body: 'Hi!'
+      end
+
+      it 'responds with 500' do
+        expect(response.status).to eq 500
+      end
+
+      it 'does not create new note' do
+        expect(private_issue.notes.reload).to be_empty
+      end
+    end
   end
 
   describe "POST /projects/:id/noteable/:noteable_id/notes to test observer on create" do
@@ -211,7 +232,7 @@ describe API::API, api: true  do
       end
 
       it 'should return a 404 error when note id not found' do
-        put api("/projects/#{project.id}/issues/#{issue.id}/notes/123", user),
+        put api("/projects/#{project.id}/issues/#{issue.id}/notes/12345", user),
                 body: 'Hello!'
         expect(response.status).to eq(404)
       end
@@ -233,7 +254,7 @@ describe API::API, api: true  do
 
       it 'should return a 404 error when note id not found' do
         put api("/projects/#{project.id}/snippets/#{snippet.id}/"\
-                  "notes/123", user), body: "Hello!"
+                  "notes/12345", user), body: "Hello!"
         expect(response.status).to eq(404)
       end
     end
@@ -248,7 +269,7 @@ describe API::API, api: true  do
 
       it 'should return a 404 error when note id not found' do
         put api("/projects/#{project.id}/merge_requests/#{merge_request.id}/"\
-                  "notes/123", user), body: "Hello!"
+                  "notes/12345", user), body: "Hello!"
         expect(response.status).to eq(404)
       end
     end
@@ -268,7 +289,7 @@ describe API::API, api: true  do
       end
 
       it 'returns a 404 error when note id not found' do
-        delete api("/projects/#{project.id}/issues/#{issue.id}/notes/123", user)
+        delete api("/projects/#{project.id}/issues/#{issue.id}/notes/12345", user)
 
         expect(response.status).to eq(404)
       end
@@ -288,7 +309,7 @@ describe API::API, api: true  do
 
       it 'returns a 404 error when note id not found' do
         delete api("/projects/#{project.id}/snippets/#{snippet.id}/"\
-                   "notes/123", user)
+                   "notes/12345", user)
 
         expect(response.status).to eq(404)
       end
@@ -308,7 +329,7 @@ describe API::API, api: true  do
 
       it 'returns a 404 error when note id not found' do
         delete api("/projects/#{project.id}/merge_requests/"\
-                   "#{merge_request.id}/notes/123", user)
+                   "#{merge_request.id}/notes/12345", user)
 
         expect(response.status).to eq(404)
       end
author	Robert Speicher <rspeicher@gmail.com>	2016-04-26 19:55:38 +0300
committer	Robert Speicher <rspeicher@gmail.com>	2016-04-26 21:40:51 +0300
commit	be67a4843cc37790402404650cb96a6f02552b54 (patch)
tree	795a8c1e33276c42a0b7fcb37cddf31477030353 /spec/requests/api/notes_spec.rb
parent	2f5394f5d640944a4efac9d89fcbdbcf79803f01 (diff)