Wrong information from APIs used by JIRA
Summary
Two endpoints used by JIRA could return incorrect information from a different project instead of a 404 error.
This is happening when an API user requests information from an invalid project (not the right access level in the project, a non-existent project, etc...) but the :id
used corresponds to a valid merge request where they have access.
https://gitlab.com/api/v3/repos/:namespace/:project/pulls/:id
https://gitlab.com/api/v3/repos/:namespace/:project/issues/:id/comments
This is not a bug that we can notice because JIRA always uses the right endpoints but the behavior could be more accurate if we filter by the project in our end.
Steps to reproduce
One example using local data:
curl --header "PRIVATE-TOKEN: xxxxx" --header "User-Agent: JIRA DVCS Connector" "http://localhost:3000/api/v3/repos/invalid-group/invalid-project/pulls/21"
The response is coming from the wrong group/project.
{
"title": "Necessitatibus officiis repellendus nemo quasi ipsam laborum nesciunt.",
"assignee": {
"id": 1,
"login": "root",
"url": "http://localhost:3000/root",
"html_url": "http://localhost:3000/root",
"avatar_url": "https://www.gravatar.com/avatar/e64c7d89f26bd1972efa854d13d7dd61?s=80&d=identicon"
},
"user": {
"id": 4,
"login": "sydney",
"url": "http://localhost:3000/sydney",
"html_url": "http://localhost:3000/sydney",
"avatar_url": "https://www.gravatar.com/avatar/22063ac6482101d38cd705ddf3cb2db8?s=80&d=identicon"
},
"created_at": "2019-09-26T12:59:29.685Z",
"body": "Repellendus a veritatis sit quo est cupiditate aut minus. Alias mollitia deserunt voluptatum blanditiis perferendis. Et accusantium aspernatur dolor error illo porro et.",
"number": 21,
"state": "open",
"merged": false,
"merged_at": null,
"closed_at": null,
"updated_at": "2019-09-26T12:59:29.685Z",
"html_url": "http://localhost:3000/gnuwget/wget2/merge_requests/7",
"head": {
"label": "tmp-exclude-directories",
"ref": "tmp-exclude-directories",
"repo": {
"id": 3,
"owner": {
"login": "gnuwget"
},
"name": "wget2"
}
},
"base": {
"label": "gsoc-http2-testsuite",
"ref": "gsoc-http2-testsuite",
"repo": {
"id": 3,
"owner": {
"login": "gnuwget"
},
"name": "wget2"
}
}
}
What is the expected correct behavior?
{
"message": "404 Not Found"
}
Possible fixes
The issue is related to the query to retrieve the authorized merge requests https://gitlab.com/gitlab-org/gitlab/blob/6daa5c9fcc3e9c1a9b1365a8906d097218432972/ee/lib/api/v3/github.rb#L71
We also have to filter by the specified project coming in the request.