From 68e31c098ec3984c42b921c07fec8593116e77ce Mon Sep 17 00:00:00 2001
From: James Lopez <james@gitlab.com>
Date: Fri, 26 Jan 2018 15:39:10 +0000
Subject: Merge branch 'fix/gh-namespace-issue' into 'security-10-4'

[10.4] Fix GH namespace security issue
---
 app/services/groups/nested_create_service.rb | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'app/services/groups')

diff --git a/app/services/groups/nested_create_service.rb b/app/services/groups/nested_create_service.rb
index d6f08fc3cce..5c337a9faa5 100644
--- a/app/services/groups/nested_create_service.rb
+++ b/app/services/groups/nested_create_service.rb
@@ -11,8 +11,8 @@ module Groups
     def execute
       return nil unless group_path
 
-      if group = Group.find_by_full_path(group_path)
-        return group
+      if namespace = namespace_or_group(group_path)
+        return namespace
       end
 
       if group_path.include?('/') && !Group.supports_nested_groups?
@@ -40,10 +40,14 @@ module Groups
         )
         new_params[:visibility_level] ||= Gitlab::CurrentSettings.current_application_settings.default_group_visibility
 
-        last_group = Group.find_by_full_path(partial_path) || Groups::CreateService.new(current_user, new_params).execute
+        last_group = namespace_or_group(partial_path) || Groups::CreateService.new(current_user, new_params).execute
       end
 
       last_group
     end
+
+    def namespace_or_group(group_path)
+      Namespace.find_by_full_path(group_path)
+    end
   end
 end
-- 
cgit v1.2.3