diff options
author | John Jarvis <jarv@gitlab.com> | 2019-03-20 10:45:18 +0000 |
---|---|---|
committer | John Jarvis <jarv@gitlab.com> | 2019-03-20 10:45:18 +0000 |
commit | 9c529aec64256d3ddf5cd0d1835da6a8b090f7c1 (patch) | |
tree | 7b22244605aa8bb5a5f783b1dfa746367e9ab971 | |
parent | 8436b72f4641f1e1de7fd08c91e63e6fe73e54d9 (diff) | |
parent | df53080d37701e341d282721d5ae368fa97cea9a (diff) | |
download | gitlab-ce-9c529aec64256d3ddf5cd0d1835da6a8b090f7c1.tar.gz |
Merge branch 'security-11-9-2826-fix-project-serialization-in-quick-actions' into '11-9-stable'
Fix project serialization in quick actions response
See merge request gitlab/gitlabhq!3015
3 files changed, 37 insertions, 1 deletions
diff --git a/app/controllers/concerns/notes_actions.rb b/app/controllers/concerns/notes_actions.rb index b4fee93713b..f96d1821095 100644 --- a/app/controllers/concerns/notes_actions.rb +++ b/app/controllers/concerns/notes_actions.rb @@ -48,7 +48,7 @@ module NotesActions respond_to do |format| format.json do json = { - commands_changes: @note.commands_changes + commands_changes: @note.commands_changes&.slice(:emoji_award, :time_estimate, :spend_time) } if @note.persisted? && return_discussion? diff --git a/changelogs/unreleased/security-2826-fix-project-serialization-in-quick-actions.yml b/changelogs/unreleased/security-2826-fix-project-serialization-in-quick-actions.yml new file mode 100644 index 00000000000..272f8a95957 --- /dev/null +++ b/changelogs/unreleased/security-2826-fix-project-serialization-in-quick-actions.yml @@ -0,0 +1,5 @@ +--- +title: Remove project serialization in quick actions response +merge_request: +author: +type: security diff --git a/spec/controllers/projects/notes_controller_spec.rb b/spec/controllers/projects/notes_controller_spec.rb index 0b0f5117784..deecb7fefe9 100644 --- a/spec/controllers/projects/notes_controller_spec.rb +++ b/spec/controllers/projects/notes_controller_spec.rb @@ -413,6 +413,37 @@ describe Projects::NotesController do end end end + + context 'when creating a note with quick actions' do + context 'with commands that return changes' do + let(:note_text) { "/award :thumbsup:\n/estimate 1d\n/spend 3h" } + + it 'includes changes in commands_changes ' do + post :create, params: request_params.merge(note: { note: note_text }, format: :json) + + expect(response).to have_gitlab_http_status(200) + expect(json_response['commands_changes']).to include('emoji_award', 'time_estimate', 'spend_time') + expect(json_response['commands_changes']).not_to include('target_project', 'title') + end + end + + context 'with commands that do not return changes' do + let(:issue) { create(:issue, project: project) } + let(:other_project) { create(:project) } + let(:note_text) { "/move #{other_project.full_path}\n/title AAA" } + + before do + other_project.add_developer(user) + end + + it 'does not include changes in commands_changes' do + post :create, params: request_params.merge(note: { note: note_text }, target_type: 'issue', target_id: issue.id, format: :json) + + expect(response).to have_gitlab_http_status(200) + expect(json_response['commands_changes']).not_to include('target_project', 'title') + end + end + end end describe 'PUT update' do |