Expose of GitHub Import errors via Import::GithubController#failures
The failures action which was implemented in !117133 (merged) doesn't perform any sort of authorization which allows a malicious to access the import errors of any project imported via GitHub
https://gitlab.com/import/github/failures?project_id=PROJECT_ID
The endpoint exposes these information about the import error
Solution
The action should check if the user is the owner of the project like the Import::GithubController#cancel_all does.
diff --git a/app/controllers/import/github_controller.rb b/app/controllers/import/github_controller.rb
index 41477519ba5e..ee6338e70e95 100644
--- a/app/controllers/import/github_controller.rb
+++ b/app/controllers/import/github_controller.rb
@@ -92,7 +92,7 @@ def realtime_changes
end
def failures
- project = Project.imported_from(provider_name).find(params[:project_id])
+ project = Project.imported_from(provider_name).created_by(current_user).find(params[:project_id])
unless project.import_finished?
return render status: :bad_request, json: {
@@ -107,7 +107,7 @@ def failures
end
def cancel
- project = Project.imported_from(provider_name).find(params[:project_id])
+ project = Project.imported_from(provider_name).created_by(current_user).find(params[:project_id])
result = Import::Github::CancelProjectImportService.new(project, current_user).execute
if result[:status] == :success
Edited by Rodrigo Tomonari