Check permission to read a package when return packages from multiple projects
🔥 Context
In !111775 (merged) we added the changes to look for the package in multiple projects that have the same root namespace.
There is a security concern because we only check the :read_package
permission for one project that has the last package’s version: https://gitlab.com/gitlab-org/gitlab/-/blob/c18627af6abc0952f5fd99822d7457a5d357b8b6/lib/api/concerns/packages/npm_endpoints.rb#L196 while potentially return the packages from multiple projects.
🚒 Solution
Luckily the changes are still behind the feature flag that's not rolled out at this moment.
We need to return only packages from those projects that user has :read_package
permission for.
Additionally we have to check amount of the authorized packages (an user has read_package
permission on the project that a package belongs to). In case there were the origin packages, but none the authorized, then raise 403
.