-
- Downloads
Merge branch 'fix/private-labels-permissions' into 'master'
Fix vulnerability that leaks private labels and milestones ## Summary This fixes vulnerability that leaks information about private labels and milestones because of insecure direct object reference in issueable create service. This affects merge requests and issues. See https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 ## Fix This MR introduces additional check that rejects labels and milestone that does not belong to the same project issue/merg request does. ## Further work `IssuableBaseService` may benefit from encapsulating filters in separate class/module, which then may improve coherency in this class. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 See merge request !1954
Showing
- CHANGELOG 117 additions, 0 deletionsCHANGELOG
- app/services/issuable_base_service.rb 26 additions, 2 deletionsapp/services/issuable_base_service.rb
- spec/services/issues/bulk_update_service_spec.rb 1 addition, 1 deletionspec/services/issues/bulk_update_service_spec.rb
- spec/services/issues/create_service_spec.rb 49 additions, 14 deletionsspec/services/issues/create_service_spec.rb
- spec/services/issues/update_service_spec.rb 8 additions, 3 deletionsspec/services/issues/update_service_spec.rb
- spec/services/merge_requests/update_service_spec.rb 8 additions, 3 deletionsspec/services/merge_requests/update_service_spec.rb
Loading
Please register or sign in to comment