Merge branch 'mc/bug/38984-wildcard-protected-tags-10-2' into 'security-10-2'

Fix using wildcards in protected tags to expose protected variables - 10.2 See merge request gitlab/gitlabhq!2308

Merge branch 'mc/bug/38984-wildcard-protected-tags-10-2' into 'security-10-2'
835a780a · Kamil Trzciński · Robert Speicher · 8489f5f3 · 835a780a · 835a780a
Commit 835a780a authored Jan 26, 2018 by Kamil Trzciński Committed by Robert Speicher Feb 02, 2018
7 changed files
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -1554,8 +1554,11 @@ class Project < ActiveRecord::Base
  end

  def protected_for?(ref)
-    ProtectedBranch.protected?(self, ref) ||
+    if repository.branch_exists?(ref)
+      ProtectedBranch.protected?(self, ref)
+    elsif repository.tag_exists?(ref)
      ProtectedTag.protected?(self, ref)
+    end
  end

  def deployment_variables

--- a/app/models/repository.rb
+++ b/app/models/repository.rb
@@ -220,6 +220,12 @@ class Repository
    branch_names.include?(branch_name)
  end

+  def tag_exists?(tag_name)
+    return false unless raw_repository
+
+    tag_names.include?(tag_name)
+  end
+
  def ref_exists?(ref)
    !!raw_repository&.ref_exists?(ref)
  rescue ArgumentError

--- a/changelogs/unreleased/mc-bug-38984-wildcard-protected-tags.yml
+++ b/changelogs/unreleased/mc-bug-38984-wildcard-protected-tags.yml
+---
+title: Fix wilcard protected tags protecting all branches
+merge_request:
+author:
+type: security
--- a/spec/models/ci/build_spec.rb
+++ b/spec/models/ci/build_spec.rb
@@ -1431,7 +1431,7 @@ describe Ci::Build do

      context 'when the branch is protected' do
        before do
-          create(:protected_branch, project: build.project, name: build.ref)
+          allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
        end

        it { is_expected.to include(protected_variable) }
@@ -1439,7 +1439,7 @@ describe Ci::Build do

      context 'when the tag is protected' do
        before do
-          create(:protected_tag, project: build.project, name: build.ref)
+          allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
        end

        it { is_expected.to include(protected_variable) }
@@ -1476,7 +1476,7 @@ describe Ci::Build do

      context 'when the branch is protected' do
        before do
-          create(:protected_branch, project: build.project, name: build.ref)
+          allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
        end

        it { is_expected.to include(protected_variable) }
@@ -1484,7 +1484,7 @@ describe Ci::Build do

      context 'when the tag is protected' do
        before do
-          create(:protected_tag, project: build.project, name: build.ref)
+          allow(build.project).to receive(:protected_for?).with(build.ref).and_return(true)
        end

        it { is_expected.to include(protected_variable) }

--- a/spec/models/group_spec.rb
+++ b/spec/models/group_spec.rb
@@ -550,7 +550,7 @@ describe Group do

    context 'when the ref is a protected branch' do
      before do
-        create(:protected_branch, name: 'ref', project: project)
+        allow(project).to receive(:protected_for?).with('ref').and_return(true)
      end

      it_behaves_like 'ref is protected'
@@ -558,7 +558,7 @@ describe Group do

    context 'when the ref is a protected tag' do
      before do
-        create(:protected_tag, name: 'ref', project: project)
+        allow(project).to receive(:protected_for?).with('ref').and_return(true)
      end

      it_behaves_like 'ref is protected'
@@ -572,6 +572,10 @@ describe Group do
      let(:variable_child_2) { create(:ci_group_variable, group: group_child_2) }
      let(:variable_child_3) { create(:ci_group_variable, group: group_child_3) }

+      before do
+        allow(project).to receive(:protected_for?).with('ref').and_return(true)
+      end
+
      it 'returns all variables belong to the group and parent groups' do
        expected_array1 = [protected_variable, secret_variable]
        expected_array2 = [variable_child, variable_child_2, variable_child_3]

--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -2042,7 +2042,7 @@ describe Project do

    context 'when the ref is a protected branch' do
      before do
-        create(:protected_branch, name: 'ref', project: project)
+        allow(project).to receive(:protected_for?).with('ref').and_return(true)
      end

      it_behaves_like 'ref is protected'
@@ -2050,7 +2050,7 @@ describe Project do

    context 'when the ref is a protected tag' do
      before do
-        create(:protected_tag, name: 'ref', project: project)
+        allow(project).to receive(:protected_for?).with('ref').and_return(true)
      end

      it_behaves_like 'ref is protected'
@@ -2075,6 +2075,8 @@ describe Project do

    context 'when the ref is a protected branch' do
      before do
+        allow(project).to receive(:repository).and_call_original
+        allow(project).to receive_message_chain(:repository, :branch_exists?).and_return(true)
        create(:protected_branch, name: 'ref', project: project)
      end

@@ -2085,6 +2087,8 @@ describe Project do

    context 'when the ref is a protected tag' do
      before do
+        allow(project).to receive_message_chain(:repository, :branch_exists?).and_return(false)
+        allow(project).to receive_message_chain(:repository, :tag_exists?).and_return(true)
        create(:protected_tag, name: 'ref', project: project)
      end


--- a/spec/models/repository_spec.rb
+++ b/spec/models/repository_spec.rb
@@ -1175,6 +1175,15 @@ describe Repository do
    end
  end

+  describe '#tag_exists?' do
+    it 'uses tag_names' do
+      allow(repository).to receive(:tag_names).and_return(['foobar'])
+
+      expect(repository.tag_exists?('foobar')).to eq(true)
+      expect(repository.tag_exists?('master')).to eq(false)
+    end
+  end
+
  describe '#branch_names', :use_clean_rails_memory_store_caching do
    let(:fake_branch_names) { ['foobar'] }