root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Add latest changes from gitlab-org/security/gitlab@15-4-stable-ee

This commit is contained in:
GitLab Bot 2022-09-28 22:00:24 +00:00
parent cc201d1e1b
commit 36c8a31d57
5 changed files with 52 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/services/base_project_service.rb
View File

@ -7,7 +7,9 @@ class BaseProjectService < ::BaseContainerService
attr_accessor :project
def initialize(project:, current_user: nil, params: {})
super(container: project, current_user: current_user, params: params)
# we need to exclude project params since they may come from external requests. project should always
# be passed as part of the service's initializer
super(container: project, current_user: current_user, params: params.except(:project, :project_id))
@project = project
end

4
lib/gitlab/json_cache.rb
View File

@ -43,9 +43,7 @@ module Gitlab
end
def write(key, value, options = nil)
# As we use json as the serialization format, return everything from
# ActiveModel objects included encrypted values.
backend.write(cache_key(key), value.to_json(unsafe_serialization_hash: true), options)
backend.write(cache_key(key), value.to_json, options)
end
def fetch(key, options = {}, &block)

20
spec/controllers/boards/issues_controller_spec.rb
View File

@ -427,6 +427,22 @@ RSpec.describe Boards::IssuesController do
end
describe 'POST create' do
context 'when trying to create issue on an unauthorized project' do
let(:unauthorized_project) { create(:project, :private) }
let(:issue_params) { { project_id: unauthorized_project.id } }
it 'creates the issue on the board\'s project' do
expect do
create_issue user: user, board: board, list: list1, title: 'New issue', additional_issue_params: issue_params
end.to change(Issue, :count).by(1)
created_issue = Issue.last
expect(created_issue.project).to eq(project)
expect(unauthorized_project.reload.issues.count).to eq(0)
end
end
context 'with valid params' do
before do
create_issue user: user, board: board, list: list1, title: 'New issue'
@ -500,13 +516,13 @@ RSpec.describe Boards::IssuesController do
end
end
def create_issue(user:, board:, list:, title:)
def create_issue(user:, board:, list:, title:, additional_issue_params: {})
sign_in(user)
post :create, params: {
board_id: board.to_param,
list_id: list.to_param,
issue: { title: title, project_id: project.id }
issue: { title: title, project_id: project.id }.merge(additional_issue_params)
},
format: :json
end

13
spec/services/issues/create_service_spec.rb
View File

@ -47,6 +47,19 @@ RSpec.describe Issues::CreateService do
due_date: Date.tomorrow }
end
context 'when an unauthorized project_id is provided' do
let(:unauthorized_project) { create(:project) }
before do
opts[:project_id] = unauthorized_project.id
end
it 'ignores the project_id param and creates issue in the given project' do
expect(issue.project).to eq(project)
expect(unauthorized_project.reload.issues.count).to eq(0)
end
end
it 'works if base work item types were not created yet' do
WorkItems::Type.delete_all

17
spec/services/issues/update_service_spec.rb
View File

@ -69,6 +69,23 @@ RSpec.describe Issues::UpdateService, :mailer do
}
end
context 'when an unauthorized project_id is provided' do
let(:unauthorized_project) { create(:project) }
before do
opts[:project_id] = unauthorized_project.id
end
it 'ignores the project_id param and does not update the issue\'s project' do
expect do
update_issue(opts)
unauthorized_project.reload
end.to not_change { unauthorized_project.issues.count }
expect(issue.project).to eq(project)
end
end
it 'updates the issue with the given params' do
expect(TodosDestroyer::ConfidentialIssueWorker).not_to receive(:perform_in)