Resolve possible cherry pick API race conditionrs-cherry-pick-api

Previously, we just fetched the latest commit for the given branch when
presenting the resulting commit, but because something could have been
committed to that branch between the time we cherry-picked and the time
we render the result, the wrong commit could have been presented.

Now, we fetch the commit object with the commit SHA returned by the
commit change service, which should always be the correct commit.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/53773

2 files changed, 10 insertions, 3 deletions

diff --git a/changelogs/unreleased/rs-cherry-pick-api.yml b/changelogs/unreleased/rs-cherry-pick-api.yml
new file mode 100644
index 00000000000..ce844dfc939
--- /dev/null
+++ b/changelogs/unreleased/rs-cherry-pick-api.yml
@@ -0,0 +1,5 @@
+---
+title: Resolve possible cherry pick API race condition
+merge_request:
+author:
+type: fixed
diff --git a/lib/api/commits.rb b/lib/api/commits.rb
index e59abd3e3d0..ee20c6efe78 100644
--- a/lib/api/commits.rb
+++ b/lib/api/commits.rb
@@ -194,11 +194,13 @@ module API
           branch_name: params[:branch]
         }
 
-        result = ::Commits::CherryPickService.new(user_project, current_user, commit_params).execute
+        result = ::Commits::CherryPickService
+          .new(user_project, current_user, commit_params)
+          .execute
 
         if result[:status] == :success
-          branch = find_branch!(params[:branch])
-          present user_project.repository.commit(branch.dereferenced_target), with: Entities::Commit
+          present user_project.repository.commit(result[:result]),
+            with: Entities::Commit
         else
           render_api_error!(result[:message], 400)
         end