Security: Ensure all ActiveRecord finds are properly scoped
Description
MR: Fix auth and unscoped AR queries, remove args (!118569 - merged)
We need to ensure that all ActiveRecord find queries for our models (Workspace
and RemoteDevelopmentAgentConfig
) are properly scoped, to avoid security issues. See https://brakemanscanner.org/docs/warning_types/unscoped_find/ for a description of this class of vulnerability.
There's several known places we need to fix this, e.g. ee/lib/remote_development/workspaces/reconcile/reconcile_processor.rb
where there are several TODO comments related to this:
# TODO: SECURITY CONCERN - This needs to be scoped by agent
workspaces_to_return_in_rails_infos_query = Workspace.all
We should also do a review of all other activerecord finds or queries in the remote_dev
branch to see if this vulnerability exists anywhere else.
Tasks
-
Check workspace creation (this is already using workspace = group.workspaces.build(params)
, which should be OK assuming that's the permission scope we want for creation: https://gitlab.com/gitlab-org/gitlab/-/blob/remote_dev/ee/lib/remote_development/workspaces/create/create_processor.rb#L38-38) -
Check/fix all finds in ee/lib/remote_development/workspaces/reconcile/reconcile_processor.rb
and remove related TODOs -
Check for any other find/create/build in the remote_dev branch
Edited by Chad Woolley