diff options
| author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-24 18:53:14 +0000 |
|---|---|---|
| committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-24 18:53:14 +0000 |
| commit | 853618e05f6fea4a3a48822601c60a89830269f4 (patch) | |
| tree | d547d782169323b90d82d4a8a6e1859f7c1d336b | |
| parent | a6adb3368418e9c70b164428e7c9c654aaa11047 (diff) | |
| parent | 3c60e336585ebfdba47707c399d0227d3b5fa404 (diff) | |
| download | gitlab-ce-853618e05f6fea4a3a48822601c60a89830269f4.tar.gz | |
Merge branch 'security-2920-fix-notes-with-label-cross-reference-12-4' into '12-4-stable'
Project path reveals labels from Private project if the issue is moved to public project
See merge request gitlab/gitlabhq!3490
| -rw-r--r-- | app/models/concerns/mentionable/reference_regexes.rb | 4 | ||||
| -rw-r--r-- | app/models/system_note_metadata.rb | 1 | ||||
| -rw-r--r-- | changelogs/unreleased/security-2920-fix-notes-with-label-cross-reference-12-4.yml | 5 | ||||
| -rw-r--r-- | spec/models/note_spec.rb | 57 |
4 files changed, 66 insertions, 1 deletions
diff --git a/app/models/concerns/mentionable/reference_regexes.rb b/app/models/concerns/mentionable/reference_regexes.rb index fec31cd262b..f44a674b3c9 100644 --- a/app/models/concerns/mentionable/reference_regexes.rb +++ b/app/models/concerns/mentionable/reference_regexes.rb @@ -13,7 +13,9 @@ module Mentionable def self.other_patterns [ Commit.reference_pattern, - MergeRequest.reference_pattern + MergeRequest.reference_pattern, + Label.reference_pattern, + Milestone.reference_pattern ] end diff --git a/app/models/system_note_metadata.rb b/app/models/system_note_metadata.rb index 11cbeb60bba..5a44ee7211b 100644 --- a/app/models/system_note_metadata.rb +++ b/app/models/system_note_metadata.rb @@ -10,6 +10,7 @@ class SystemNoteMetadata < ApplicationRecord commit cross_reference close duplicate moved merge + label milestone ].freeze ICON_TYPES = %w[ diff --git a/changelogs/unreleased/security-2920-fix-notes-with-label-cross-reference-12-4.yml b/changelogs/unreleased/security-2920-fix-notes-with-label-cross-reference-12-4.yml new file mode 100644 index 00000000000..b2901411729 --- /dev/null +++ b/changelogs/unreleased/security-2920-fix-notes-with-label-cross-reference-12-4.yml @@ -0,0 +1,5 @@ +--- +title: Show cross-referenced label and milestones in issues' activities only to authorized users +merge_request: +author: +type: security diff --git a/spec/models/note_spec.rb b/spec/models/note_spec.rb index 1c895f084b0..3ab88b52568 100644 --- a/spec/models/note_spec.rb +++ b/spec/models/note_spec.rb @@ -379,6 +379,63 @@ describe Note do expect(label_note.cross_reference?).to be_falsy end end + + context 'when system note metadata is not present' do + let(:note) { build(:note, :system) } + + before do + allow(note).to receive(:system_note_metadata).and_return(nil) + end + + it 'delegates to the system note service' do + expect(SystemNotes::IssuablesService).to receive(:cross_reference?).with(note.note) + + note.cross_reference? + end + end + + context 'with a system note' do + let(:issue) { create(:issue, project: create(:project, :repository)) } + let(:note) { create(:system_note, note: "test", noteable: issue, project: issue.project) } + + shared_examples 'system_note_metadata includes note action' do + it 'delegates to the cross-reference regex' do + expect(note).to receive(:matches_cross_reference_regex?) + + note.cross_reference? + end + end + + context 'with :label action' do + let!(:metadata) {create(:system_note_metadata, note: note, action: :label)} + + it_behaves_like 'system_note_metadata includes note action' + + it { expect(note.cross_reference?).to be_falsy } + + context 'with cross reference label note' do + let(:label) { create(:label, project: issue.project)} + let(:note) { create(:system_note, note: "added #{label.to_reference} label", noteable: issue, project: issue.project) } + + it { expect(note.cross_reference?).to be_truthy } + end + end + + context 'with :milestone action' do + let!(:metadata) {create(:system_note_metadata, note: note, action: :milestone)} + + it_behaves_like 'system_note_metadata includes note action' + + it { expect(note.cross_reference?).to be_falsy } + + context 'with cross reference milestone note' do + let(:milestone) { create(:milestone, project: issue.project)} + let(:note) { create(:system_note, note: "added #{milestone.to_reference} milestone", noteable: issue, project: issue.project) } + + it { expect(note.cross_reference?).to be_truthy } + end + end + end end describe 'clear_blank_line_code!' do |