Coverage Fuzz - Request error
Edge Case
This bug is an edge case. It only is visible when a user who does not belong to a project, views a public project merge request that has a security report widget. It appears to have existed for a long time, but I can't confirm. Looking at the code below I'm unsure how we ever factored security reports permissions for the widgets, other than if the reports are enabled for a given project.
Bug
Endpoint Failure (Production project link) - couldn't reproduce locally
https://gitlab.com/huldra/arctic/-/vulnerability_feedback?category=coverage_fuzzing
https://gitlab.com/huldra/arctic/-/merge_requests/152
Screenshots
Overview of logic that shows/hides security reports section in a MR widget.
Component Import
Component definition with conditional rendering
Rendering logic
Value assigned from Vuex Store
backend
How enabled reports is defined fromhttps://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/models/ee/merge_request.rb#L159
Possible Solutions
1.) From backend return back an empty array for enabled_reports
if the user doesn't have permission to view the reports.
2.) We need to pass into the UI another value that represents whether or not the user has permission to view security reports. enable_reports
only tells us if the project
has reports enabled, regardless if a user has permissions
If the user does not have access to security reports, we avoid rendering the security reports all together.
Option 1 is more ideal and requires to frontend changes. Option 2 requires more or less the same logic in backend, but additional frontend changes.
Conclusion
Current behavior is an existing bug and not related to coverage fuzzing specifically. Suggestion is to triage the bug and assign for further refinement.
Unrelated related (500) error code:
Other Notes
So the above 500 is unrelated I think. It just causes a 500 for the show
view for the format.html
block of the controller action.
This happens when you click the pipeline
link in the MR. Coincidental I think.