From ba377e91e1179b5b1124df1fcdda22c1b63e82a1 Mon Sep 17 00:00:00 2001 From: Luke Duncalfe Date: Thu, 23 May 2019 16:33:11 +1200 Subject: Authorize access before serving project template Previously, if a user was a guest member of a private project, they could access the merge request template as we were not checking permission-levels of the user. When a issue template is asked for, the user must have :read_issue for the project; or :read_merge_request when a merge request template is asked for. We also now rescue_from FileNotFoundError and handle as 404. This is because RepoTemplateFinder can raise a FileNotFoundError exception, which Rails previously handled as a 500. Handling these in a way that is consistent with ActiveRecord::RecordNotFound exceptions, within controllers that inherit from Projects::ApplicationController at least, and returning a 404. https://gitlab.com/gitlab-org/gitlab-ce/issues/54943 --- .../security-prevent-detection-of-merge-request-template-name.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml (limited to 'changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml') diff --git a/changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml b/changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml new file mode 100644 index 00000000000..d7bb884cb4b --- /dev/null +++ b/changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml @@ -0,0 +1,5 @@ +--- +title: Prevent the detection of merge request templates by unauthorized users +merge_request: +author: +type: security -- cgit v1.2.3