Project 'gitlab-org/gitlab-ce' was moved to 'gitlab-org/gitlab-foss'. Please update any links and bookmarks that may still have the old path.
Select Git revision
update_service_spec.rb
Forked from
GitLab.org / GitLab FOSS
Source project has a limited visibility.
-
Fix vulnerability that leaks private labels and milestones ## Summary This fixes vulnerability that leaks information about private labels and milestones because of insecure direct object reference in issueable create service. This affects merge requests and issues. See https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 ## Fix This MR introduces additional check that rejects labels and milestone that does not belong to the same project issue/merg request does. ## Further work `IssuableBaseService` may benefit from encapsulating filters in separate class/module, which then may improve coherency in this class. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 See merge request !1954
Fix vulnerability that leaks private labels and milestones ## Summary This fixes vulnerability that leaks information about private labels and milestones because of insecure direct object reference in issueable create service. This affects merge requests and issues. See https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 ## Fix This MR introduces additional check that rejects labels and milestone that does not belong to the same project issue/merg request does. ## Further work `IssuableBaseService` may benefit from encapsulating filters in separate class/module, which then may improve coherency in this class. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 See merge request !1954