Add patch for cve-2017-0920

This commit is contained in:
Pirate Praveen 2018-03-27 16:40:37 +05:30
parent 3a35221826
commit 216662c34f
2 changed files with 72 additions and 0 deletions

71
debian/patches/cve-2017-0920.patch vendored Normal file
View file

@ -0,0 +1,71 @@
From 523050b6383256072364937bd61054aebca2978b Mon Sep 17 00:00:00 2001
From: Sean McGivern <sean@gitlab.com>
Date: Fri, 5 Jan 2018 17:55:37 +0000
Subject: [PATCH] Merge branch '41567-projectfix' into 'security-10-3'
check project access on MR create
See merge request gitlab/gitlabhq!2273
(cherry picked from commit 1fe2325d6ef2bced4c5e97b57691c894f38b2834)
43e85f49 check project access on MR create
---
app/services/merge_requests/create_service.rb | 28 ++++++++++++++++++++++------
changelogs/unreleased/projectfix.yml | 6 ++++++
spec/features/cycle_analytics_spec.rb | 1 +
spec/models/project_services/microsoft_teams_service_spec.rb | 4 ++++
spec/requests/api/merge_requests_spec.rb | 26 +++++++++++++++++++-------
spec/requests/api/v3/merge_requests_spec.rb | 26 +++++++++++++++++++-------
spec/services/merge_requests/create_service_spec.rb | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
spec/support/slack_mattermost_notifications_shared_examples.rb | 1 +
8 files changed, 133 insertions(+), 20 deletions(-)
create mode 100644 changelogs/unreleased/projectfix.yml
--- a/app/services/merge_requests/create_service.rb
+++ b/app/services/merge_requests/create_service.rb
@@ -1,16 +1,12 @@
module MergeRequests
class CreateService < MergeRequests::BaseService
def execute
- # @project is used to determine whether the user can set the merge request's
- # assignee, milestone and labels. Whether they can depends on their
- # permissions on the target project.
- source_project = @project
- @project = Project.find(params[:target_project_id]) if params[:target_project_id]
+ set_projects!
params[:target_project_id] ||= source_project.id
merge_request = MergeRequest.new
- merge_request.source_project = source_project
+ merge_request.source_project = @source_project
merge_request.merge_params['force_remove_source_branch'] = params.delete(:force_remove_source_branch)
create(merge_request)
@@ -22,5 +18,25 @@
todo_service.new_merge_request(issuable, current_user)
issuable.cache_merge_request_closes_issues!(current_user)
end
+
+ def set_projects!
+ # @project is used to determine whether the user can set the merge request's
+ # assignee, milestone and labels. Whether they can depends on their
+ # permissions on the target project.
+ @source_project = @project
+ @project = Project.find(params[:target_project_id]) if params[:target_project_id]
+
+ # make sure that source/target project ids are not in
+ # params so it can't be overridden later when updating attributes
+ # from params when applying quick actions
+ params.delete(:source_project_id)
+ params.delete(:target_project_id)
+
+ unless can?(current_user, :read_project, @source_project) &&
+ can?(current_user, :read_project, @project)
+
+ raise Gitlab::Access::AccessDeniedError
+ end
+ end
end
end

View file

@ -17,3 +17,4 @@ cve-2017-0918.patch
cve-2017-0925.patch cve-2017-0925.patch
cve-2017-0916.patch cve-2017-0916.patch
cve-2018-8971.patch cve-2018-8971.patch
cve-2017-0920.patch