debian-mirror-gitlab/debian/patches/CVE-2019-19254.patch

From 5bdfcaa1c268aa475a11480a0ae33691f73a1a96 Mon Sep 17 00:00:00 2001
From: Brandon Labuschagne <blabuschagne@gitlab.com>
Date: Fri, 15 Nov 2019 14:39:29 +0000
Subject: [PATCH 1/2] Ensure that summary items remain aligned

Default number of items is 3. If this is not the case,
then increase the column width of the summary items
to cater for 2 items plus the date filter.
---
 .../javascripts/cycle_analytics/cycle_analytics_bundle.js   | 6 ++++++
 app/views/projects/cycle_analytics/show.html.haml           | 4 ++--
 2 files changed, 8 insertions(+), 2 deletions(-)

--- a/app/assets/javascripts/cycle_analytics/cycle_analytics_bundle.js
+++ b/app/assets/javascripts/cycle_analytics/cycle_analytics_bundle.js
@@ -56,10 +56,16 @@
         service: this.createCycleAnalyticsService(cycleAnalyticsEl.dataset.requestPath),
       };
     },
+    defaultNumberOfSummaryItems: 3,
     computed: {
       currentStage() {
         return this.store.currentActiveStage();
       },
+      summaryTableColumnClass() {
+        return this.state.summary.length === this.$options.defaultNumberOfSummaryItems
+          ? 'col-sm-3'
+          : 'col-sm-4';
+      },
     },
     created() {
       // Conditional check placed here to prevent this method from being called on the
--- a/app/views/projects/cycle_analytics/show.html.haml
+++ b/app/views/projects/cycle_analytics/show.html.haml
@@ -14,10 +14,10 @@
       .content-block
         .container-fluid
           .row
-            .col-sm-3.col-12.column{ "v-for" => "item in state.summary" }
+            .col-12.column{ "v-for" => "item in state.summary", ":class" => "summaryTableColumnClass" }
               %h3.header {{ item.value }}
               %p.text {{ item.title }}
-            .col-sm-3.col-12.column
+            .col-12.column{ ":class" => "summaryTableColumnClass" }
               .dropdown.inline.js-ca-dropdown
                 %button.dropdown-menu-toggle{ "data-toggle" => "dropdown", :type => "button" }
                   %span.dropdown-label {{ n__('Last %d day', 'Last %d days', 30) }}
--- /dev/null
+++ b/changelogs/unreleased/security-ag-cycle-analytics-guest-permissions.yml
@@ -0,0 +1,5 @@
+---
+title: Hide commit counts from guest users in Cycle Analytics.
+merge_request:
+author:
+type: security
--- a/lib/gitlab/cycle_analytics/stage_summary.rb
+++ b/lib/gitlab/cycle_analytics/stage_summary.rb
@@ -10,13 +10,29 @@
       end
 
       def data
-        [serialize(Summary::Issue.new(project: @project, from: @from, current_user: @current_user)),
-         serialize(Summary::Commit.new(project: @project, from: @from)),
-         serialize(Summary::Deploy.new(project: @project, from: @from))]
+        summary = [issue_stats]
+        summary << commit_stats if user_has_sufficient_access?
+        summary << deploy_stats
       end
 
       private
 
+      def issue_stats
+        serialize(Summary::Issue.new(project: @project, from: @from, current_user: @current_user))
+      end
+
+      def commit_stats
+        serialize(Summary::Commit.new(project: @project, from: @from))
+      end
+
+      def deploy_stats
+        serialize(Summary::Deploy.new(project: @project, from: @from))
+      end
+
+      def user_has_sufficient_access?
+        @project.team.member?(@current_user, Gitlab::Access::REPORTER)
+      end
+
       def serialize(summary_object)
         AnalyticsSummarySerializer.new.represent(summary_object)
       end
--- a/spec/features/cycle_analytics_spec.rb
+++ b/spec/features/cycle_analytics_spec.rb
@@ -108,6 +108,10 @@
       wait_for_requests
     end
 
+    it 'does not show the commit stats' do
+      expect(page).to have_no_selector(:xpath, commits_counter_selector)
+    end
+
     it 'needs permissions to see restricted stages' do
       expect(find('.stage-events')).to have_content(issue.title)
 
@@ -123,8 +127,12 @@
     find(:xpath, "//p[contains(text(),'New Issue')]/preceding-sibling::h3")
   end
 
+  def commits_counter_selector
+    "//p[contains(text(),'Commits')]/preceding-sibling::h3"
+  end
+
   def commits_counter
-    find(:xpath, "//p[contains(text(),'Commits')]/preceding-sibling::h3")
+    find(:xpath, commits_counter_selector)
   end
 
   def deploys_counter
--- a/spec/lib/gitlab/cycle_analytics/stage_summary_spec.rb
+++ b/spec/lib/gitlab/cycle_analytics/stage_summary_spec.rb
@@ -8,6 +8,10 @@
   let(:user) { create(:user, :admin) }
   subject { described_class.new(project, from: Time.now, current_user: user).data }
 
+  before do
+    project.add_maintainer(user)
+  end
+
   describe "#new_issues" do
     it "finds the number of issues created after the 'from date'" do
       Timecop.freeze(5.days.ago) { create(:issue, project: project) }
@@ -42,6 +46,23 @@
 
       expect(subject.second[:value]).to eq(100)
     end
+
+    context 'when a guest user is signed in' do
+      let(:guest_user) { create(:user) }
+
+      before do
+        project.add_guest(guest_user)
+      end
+
+      it 'does not include commit stats' do
+        data = described_class.new(project, from: from, current_user: guest_user).data
+        expect(includes_commits?(data)).to be_falsy
+      end
+
+      def includes_commits?(data)
+        data.any? { |h| h["title"] == 'Commits' }
+      end
+    end
   end
 
   describe "#deploys" do