From 16a0303801319e722bfcdadbcdeae8550e3e5dcf Mon Sep 17 00:00:00 2001
From: Ruben Davila <rdavila84@gmail.com>
Date: Mon, 27 Jun 2016 13:23:19 -0500
Subject: [PATCH] Check for conflict with wiki projects when creating a new
 project.

This fix avoids exposing the information from the wiki repository of other project.
---
 CHANGELOG                   |  1 +
 app/models/project.rb       | 11 +++++++++++
 spec/models/project_spec.rb | 21 +++++++++++++++++++++
 3 files changed, 33 insertions(+)

diff --git a/CHANGELOG b/CHANGELOG
index d32c1fd84922e..07998b0fb5c5a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -10,6 +10,7 @@ v 8.10.0 (unreleased)
   - Implement Subresource Integrity for CSS and JavaScript assets. This prevents malicious assets from loading in the case of a CDN compromise.
   - Fix changing issue state columns in milestone view
   - Fix user creation with stronger minimum password requirements !4054 (nathan-pmt)
+  - Check for conflicts with existing Project's wiki path when creating a new project.
   - Add API endpoint for a group issues !4520 (mahcsig)
 
 v 8.9.1
diff --git a/app/models/project.rb b/app/models/project.rb
index ca3bc04e2dda5..9683736442389 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -163,6 +163,7 @@ def update_forks_visibility_level
   validates :avatar, file_size: { maximum: 200.kilobytes.to_i }
   validate :visibility_level_allowed_by_group
   validate :visibility_level_allowed_as_fork
+  validate :check_wiki_path_conflict
 
   add_authentication_token_field :runners_token
   before_save :ensure_runners_token
@@ -539,6 +540,16 @@ def visibility_level_allowed_as_fork
     self.errors.add(:visibility_level, "#{level_name} is not allowed since the fork source project has lower visibility.")
   end
 
+  def check_wiki_path_conflict
+    return if path.blank?
+
+    path_to_check = path.ends_with?('.wiki') ? path.chomp('.wiki') : "#{path}.wiki"
+
+    if Project.where(namespace_id: namespace_id, path: path_to_check).exists?
+      errors.add(:name, 'has already been taken')
+    end
+  end
+
   def to_param
     path
   end
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index 53c8408633c2d..d305cd9ff1e39 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -63,6 +63,27 @@
       expect(project2).not_to be_valid
       expect(project2.errors[:limit_reached].first).to match(/Personal project creation is not allowed/)
     end
+
+    describe 'wiki path conflict' do
+      context "when the new path has been used by the wiki of other Project" do
+        it 'should have an error on the name attribute' do
+          new_project = build_stubbed(:project, namespace_id: project.namespace_id, path: "#{project.path}.wiki")
+
+          expect(new_project).not_to be_valid
+          expect(new_project.errors[:name].first).to eq('has already been taken')
+        end
+      end
+
+      context "when the new wiki path has been used by the path of other Project" do
+        it 'should have an error on the name attribute' do
+          project_with_wiki_suffix = create(:project, path: 'foo.wiki')
+          new_project = build_stubbed(:project, namespace_id: project_with_wiki_suffix.namespace_id, path: 'foo')
+
+          expect(new_project).not_to be_valid
+          expect(new_project.errors[:name].first).to eq('has already been taken')
+        end
+      end
+    end
   end
 
   describe 'default_scope' do
-- 
GitLab