Merge remote-tracking branch 'dev/master'

* dev/master:
  Update CHANGELOG.md for 11.8.3
  Update CHANGELOG.md for 11.7.7
  Only return `commands_changes` used in frontend

4 files changed, 52 insertions, 1 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bec6a8b3e21..0c33596d9c1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 11.8.3 (2019-03-19)
+
+### Security (1 change)
+
+- Remove project serialization in quick actions response.
+
+
 ## 11.8.2 (2019-03-13)
 
 ### Security (1 change)
@@ -264,6 +271,14 @@ entry.
 - Creates mixin to reduce code duplication between CE and EE in graph component.
 
 
+## 11.7.7 (2019-03-19)
+
+### Security (2 changes)
+
+- Remove project serialization in quick actions response.
+- Fixed ability to see private groups by users not belonging to given group.
+
+
 ## 11.7.5 (2019-02-06)
 
 ### Fixed (8 changes)
diff --git a/app/controllers/concerns/notes_actions.rb b/app/controllers/concerns/notes_actions.rb
index b4fee93713b..f96d1821095 100644
--- a/app/controllers/concerns/notes_actions.rb
+++ b/app/controllers/concerns/notes_actions.rb
@@ -48,7 +48,7 @@ module NotesActions
     respond_to do |format|
       format.json do
         json = {
-          commands_changes: @note.commands_changes
+          commands_changes: @note.commands_changes&.slice(:emoji_award, :time_estimate, :spend_time)
         }
 
         if @note.persisted? && return_discussion?
diff --git a/changelogs/unreleased/security-2826-fix-project-serialization-in-quick-actions.yml b/changelogs/unreleased/security-2826-fix-project-serialization-in-quick-actions.yml
new file mode 100644
index 00000000000..272f8a95957
--- /dev/null
+++ b/changelogs/unreleased/security-2826-fix-project-serialization-in-quick-actions.yml
@@ -0,0 +1,5 @@
+---
+title: Remove project serialization in quick actions response
+merge_request:
+author:
+type: security
diff --git a/spec/controllers/projects/notes_controller_spec.rb b/spec/controllers/projects/notes_controller_spec.rb
index 0b0f5117784..deecb7fefe9 100644
--- a/spec/controllers/projects/notes_controller_spec.rb
+++ b/spec/controllers/projects/notes_controller_spec.rb
@@ -413,6 +413,37 @@ describe Projects::NotesController do
         end
       end
     end
+
+    context 'when creating a note with quick actions' do
+      context 'with commands that return changes' do
+        let(:note_text) { "/award :thumbsup:\n/estimate 1d\n/spend 3h" }
+
+        it 'includes changes in commands_changes ' do
+          post :create, params: request_params.merge(note: { note: note_text }, format: :json)
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['commands_changes']).to include('emoji_award', 'time_estimate', 'spend_time')
+          expect(json_response['commands_changes']).not_to include('target_project', 'title')
+        end
+      end
+
+      context 'with commands that do not return changes' do
+        let(:issue) { create(:issue, project: project) }
+        let(:other_project) { create(:project) }
+        let(:note_text) { "/move #{other_project.full_path}\n/title AAA" }
+
+        before do
+          other_project.add_developer(user)
+        end
+
+        it 'does not include changes in commands_changes' do
+          post :create, params: request_params.merge(note: { note: note_text }, target_type: 'issue', target_id: issue.id, format: :json)
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['commands_changes']).not_to include('target_project', 'title')
+        end
+      end
+    end
   end
 
   describe 'PUT update' do