Commit a35e8f47 authored by Yorick Peterse's avatar Yorick Peterse

Merge branch 'security-mass-assignment-on-project-update-11-9' into '11-9-stable'

Disallow changing namespace of a project in update method

See merge request gitlab/gitlabhq!3033
parents d0f04c21 14858471
......@@ -47,7 +47,7 @@ class ProjectsController < Projects::ApplicationController
end
def create
@project = ::Projects::CreateService.new(current_user, project_params).execute
@project = ::Projects::CreateService.new(current_user, project_params(attributes: project_params_create_attributes)).execute
if @project.saved?
cookies[:issue_board_welcome_hidden] = { path: project_path(@project), value: nil, expires: Time.at(0) }
......@@ -328,9 +328,9 @@ class ProjectsController < Projects::ApplicationController
end
# rubocop: enable CodeReuse/ActiveRecord
def project_params
def project_params(attributes: [])
params.require(:project)
.permit(project_params_attributes)
.permit(project_params_attributes + attributes)
end
def project_params_attributes
......@@ -349,11 +349,10 @@ class ProjectsController < Projects::ApplicationController
:last_activity_at,
:lfs_enabled,
:name,
:namespace_id,
:only_allow_merge_if_all_discussions_are_resolved,
:only_allow_merge_if_pipeline_succeeds,
:printing_merge_request_link_enabled,
:path,
:printing_merge_request_link_enabled,
:public_builds,
:request_access_enabled,
:runners_token,
......@@ -375,6 +374,10 @@ class ProjectsController < Projects::ApplicationController
]
end
def project_params_create_attributes
[:namespace_id]
end
def custom_import_params
{}
end
......
---
title: Disallow updating namespace when updating a project
merge_request:
author:
type: security
......@@ -369,6 +369,23 @@ describe ProjectsController do
end
end
it 'does not update namespace' do
controller.instance_variable_set(:@project, project)
params = {
namespace_id: 'test'
}
expect do
put :update,
params: {
namespace_id: project.namespace,
id: project.id,
project: params
}
end.not_to change { project.namespace.reload }
end
def update_project(**parameters)
put :update,
params: {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment