Expose of GitHub Import errors via Import::GithubController#failures

The failures action which was implemented in !117133 (merged) doesn't perform any sort of authorization which allows a malicious to access the import errors of any project imported via GitHub

https://gitlab.com/import/github/failures?project_id=PROJECT_ID

The endpoint exposes these information about the import error

Solution

The action should check if the user is the owner of the project like the Import::GithubController#cancel_all does.

diff --git a/app/controllers/import/github_controller.rb b/app/controllers/import/github_controller.rb
index 41477519ba5e..ee6338e70e95 100644
--- a/app/controllers/import/github_controller.rb
+++ b/app/controllers/import/github_controller.rb
@@ -92,7 +92,7 @@ def realtime_changes
   end
 
   def failures
-    project = Project.imported_from(provider_name).find(params[:project_id])
+    project = Project.imported_from(provider_name).created_by(current_user).find(params[:project_id])
 
     unless project.import_finished?
       return render status: :bad_request, json: {
@@ -107,7 +107,7 @@ def failures
   end
 
   def cancel
-    project = Project.imported_from(provider_name).find(params[:project_id])
+    project = Project.imported_from(provider_name).created_by(current_user).find(params[:project_id])
     result = Import::Github::CancelProjectImportService.new(project, current_user).execute
 
     if result[:status] == :success

Edited Jun 13, 2023 by Rodrigo Tomonari