diff options
| author | Bob Van Landuyt <bob@gitlab.com> | 2018-10-04 16:52:35 +0000 |
|---|---|---|
| committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-10-04 18:58:05 +0200 |
| commit | 74532158e0599e918e911d1039a92972a7902911 (patch) | |
| tree | b498433ab6b357fd859ee7151e5eaee687017d4c | |
| parent | af2e5ea53177a0ced353259f7fa8d47d7390f826 (diff) | |
| download | gitlab-ce-74532158e0599e918e911d1039a92972a7902911.tar.gz | |
Merge branch 'security-osw-user-info-leak-discussions-11-3' into 'security-11-3'
[11.3] Filter user sensitive data from discussions JSON
See merge request gitlab/gitlabhq!2537
4 files changed, 39 insertions, 1 deletions
diff --git a/app/serializers/discussion_entity.rb b/app/serializers/discussion_entity.rb index ebe76c9fcda..b6786a0d597 100644 --- a/app/serializers/discussion_entity.rb +++ b/app/serializers/discussion_entity.rb @@ -27,7 +27,7 @@ class DiscussionEntity < Grape::Entity expose :resolved?, as: :resolved expose :resolved_by_push?, as: :resolved_by_push - expose :resolved_by + expose :resolved_by, using: NoteUserEntity expose :resolved_at expose :resolve_path, if: -> (d, _) { d.resolvable? } do |discussion| resolve_project_merge_request_discussion_path(discussion.project, discussion.noteable, discussion.id) diff --git a/changelogs/unreleased/security-osw-user-info-leak-discussions-11-3.yml b/changelogs/unreleased/security-osw-user-info-leak-discussions-11-3.yml new file mode 100644 index 00000000000..0276ffe032f --- /dev/null +++ b/changelogs/unreleased/security-osw-user-info-leak-discussions-11-3.yml @@ -0,0 +1,5 @@ +--- +title: Filter user sensitive data from discussions JSON +merge_request: 2537 +author: +type: security diff --git a/spec/fixtures/api/schemas/entities/note_user_entity.json b/spec/fixtures/api/schemas/entities/note_user_entity.json new file mode 100644 index 00000000000..aab98981dd9 --- /dev/null +++ b/spec/fixtures/api/schemas/entities/note_user_entity.json @@ -0,0 +1,26 @@ +{ + "type": "object", + "required": [ + "id", + "state", + "avatar_url", + "path", + "name", + "username" + ], + "properties": { + "id": { "type": "integer" }, + "state": { "type": "string" }, + "avatar_url": { "type": "string" }, + "path": { "type": "string" }, + "name": { "type": "string" }, + "username": { "type": "string" }, + "status_tooltip_html": { + "oneOf": [ + { "type": "null" }, + { "type": "string" } + ] + } + }, + "additionalProperties": false +} diff --git a/spec/serializers/discussion_entity_spec.rb b/spec/serializers/discussion_entity_spec.rb index 378540a35b6..0590304e832 100644 --- a/spec/serializers/discussion_entity_spec.rb +++ b/spec/serializers/discussion_entity_spec.rb @@ -36,6 +36,13 @@ describe DiscussionEntity do ) end + it 'resolved_by matches note_user_entity schema' do + Notes::ResolveService.new(note.project, user).execute(note) + + expect(subject[:resolved_by].with_indifferent_access) + .to match_schema('entities/note_user_entity') + end + context 'when is LegacyDiffDiscussion' do let(:project) { create(:project) } let(:merge_request) { create(:merge_request, source_project: project) } |