Merge branch 'issue_17302' into 'master'

Fix api leaking notes when user is not authorized to read noteable fixes #17302 See merge request !4102

Merge branch 'issue_17302' into 'master'
da8ac163 · Rémy Coutable · 98d88e81 · 5bf49bb6 · da8ac163 · da8ac163
Commit da8ac163 authored May 18, 2016 by Rémy Coutable
Expand all Show whitespace changes
Inline Side-by-side

Showing with 81 additions and 8 deletions

CHANGELOG CHANGELOG +1 -0

notes.rb lib/api/notes.rb +16 -5

notes_spec.rb spec/requests/api/notes_spec.rb +64 -3

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -21,6 +21,7 @@ v 8.8.0 (unreleased)
  - Bump mail_room to 0.7.0 to fix stuck IDLE connections
  - Remove future dates from contribution calendar graph.
  - Support e-mail notifications for comments on project snippets
+  - Fix API leak of notes of unauthorized issues, snippets and merge requests
  - Use ActionDispatch Remote IP for Akismet checking
  - Fix error when visiting commit builds page before build was updated
  - Add 'l' shortcut to open Label dropdown on issuables and 'i' to create new issue on a project

--- a/lib/api/notes.rb
+++ b/lib/api/notes.rb
@@ -19,8 +19,9 @@ module API
        #   GET /projects/:id/issues/:noteable_id/notes
        #   GET /projects/:id/snippets/:noteable_id/notes
        get ":id/#{noteables_str}/:#{noteable_id_str}/notes" do
-          @noteable = user_project.send(:"#{noteables_str}").find(params[:"#{noteable_id_str}"])
+          @noteable = user_project.send(noteables_str.to_sym).find(params[noteable_id_str.to_sym])
+          if can?(current_user, noteable_read_ability_name(@noteable), @noteable)
            # We exclude notes that are cross-references and that cannot be viewed
            # by the current user. By doing this exclusion at this level and not
            # at the DB query level (which we cannot in that case), the current
@@ -33,6 +34,9 @@ module API
              paginate(@noteable.notes).
              reject { |n| n.cross_reference_not_visible_for?(current_user) }
            present notes, with: Entities::Note
+          else
+            not_found!("Notes")
+          end
        end
        # Get a single +noteable+ note
@@ -45,13 +49,14 @@ module API
        #   GET /projects/:id/issues/:noteable_id/notes/:note_id
        #   GET /projects/:id/snippets/:noteable_id/notes/:note_id
        get ":id/#{noteables_str}/:#{noteable_id_str}/notes/:note_id" do
-          @noteable = user_project.send(:"#{noteables_str}").find(params[:"#{noteable_id_str}"])
+          @noteable = user_project.send(noteables_str.to_sym).find(params[noteable_id_str.to_sym])
          @note = @noteable.notes.find(params[:note_id])
+          can_read_note = can?(current_user, noteable_read_ability_name(@noteable), @noteable) && !@note.cross_reference_not_visible_for?(current_user)
-          if @note.cross_reference_not_visible_for?(current_user)
+          if can_read_note
-            not_found!("Note")
-          else
            present @note, with: Entities::Note
+          else
+            not_found!("Note")
          end
        end
@@ -136,5 +141,11 @@ module API
        end
      end
    end
+    helpers do
+      def noteable_read_ability_name(noteable)
+        "read_#{noteable.class.to_s.underscore.downcase}".to_sym
+      end
+    end
  end
 end
--- a/spec/requests/api/notes_spec.rb
+++ b/spec/requests/api/notes_spec.rb