Merge branch 'security-makrdown-release-description-vulnerability' into 'master'

[master] Markdown of release notes leaks confidential issue titles and MR titles to any users See merge request gitlab/gitlabhq!2869
author: Yorick Peterse <yorickpeterse@gmail.com> 2019-02-06 12:03:21 +0000
committer: Yorick Peterse <yorickpeterse@gmail.com> 2019-02-06 12:03:21 +0000
commit: b6a437313d9869836417dfafb84b62077873fbe0 (patch)
tree: 8c1e82892dc0d87529441cafebf7a5265fa79475
parent: 0f7920cace3e3a6948593737a658265533315361 (diff)
parent: f942a08d23923afc7c99d750922ff61018cbcbf8 (diff)
download: gitlab-ce-b6a437313d9869836417dfafb84b62077873fbe0.tar.gz
2 files changed, 28 insertions, 1 deletions
diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index 9f1394571d8..a1f0efa3c68 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -1116,7 +1116,9 @@ module API
 
     class Release < TagRelease
       expose :name
-      expose :description_html
+      expose :description_html do |entity|
+        MarkupHelper.markdown_field(entity, :description)
+      end
       expose :created_at
       expose :author, using: Entities::UserBasic, if: -> (release, _) { release.author.present? }
       expose :commit, using: Entities::Commit
diff --git a/spec/requests/api/releases_spec.rb b/spec/requests/api/releases_spec.rb
index 811e23fb854..1f317971a66 100644
--- a/spec/requests/api/releases_spec.rb
+++ b/spec/requests/api/releases_spec.rb
@@ -127,6 +127,31 @@ describe API::Releases do
           .to match_array(release.sources.map(&:url))
       end
 
+      context "when release description contains confidential issue's link" do
+        let(:confidential_issue) do
+          create(:issue,
+                 :confidential,
+                 project: project,
+                 title: 'A vulnerability')
+        end
+
+        let!(:release) do
+          create(:release,
+                 project: project,
+                 tag: 'v0.1',
+                 sha: commit.id,
+                 author: maintainer,
+                 description: "This is confidential #{confidential_issue.to_reference}")
+        end
+
+        it "does not expose confidential issue's title" do
+          get api("/projects/#{project.id}/releases/v0.1", maintainer)
+
+          expect(json_response['description_html']).to include(confidential_issue.to_reference)
+          expect(json_response['description_html']).not_to include('A vulnerability')
+        end
+      end
+
       context 'when release has link asset' do
         let!(:link) do
           create(:release_link,
author	Yorick Peterse <yorickpeterse@gmail.com>	2019-02-06 12:03:21 +0000
committer	Yorick Peterse <yorickpeterse@gmail.com>	2019-02-06 12:03:21 +0000
commit	b6a437313d9869836417dfafb84b62077873fbe0 (patch)
tree	8c1e82892dc0d87529441cafebf7a5265fa79475
parent	0f7920cace3e3a6948593737a658265533315361 (diff)
parent	f942a08d23923afc7c99d750922ff61018cbcbf8 (diff)
download	gitlab-ce-b6a437313d9869836417dfafb84b62077873fbe0.tar.gz