Merge branch 'render-json-leak' into 'security'

fix for render json include leaks See merge request !2074 Conflicts: app/controllers/projects/merge_requests_controller.rb spec/controllers/projects/issues_controller_spec.rb
author: DJ Mountney <dj@gitlab.com> 2017-03-18 04:23:15 +0000
committer: Ruben Davila <rdavila84@gmail.com> 2017-03-18 13:54:55 -0500
commit: a70346fc6530aa28a98e4aa4cf0f40e2c3bcef6b (patch)
tree: a9c1417fb3decbcb863edfb08530bd346dca591d
parent: f71103dfca9787a0bc01b67c0069eb7bfcb5bbe6 (diff)
download: gitlab-ce-a70346fc6530aa28a98e4aa4cf0f40e2c3bcef6b.tar.gz
4 files changed, 43 insertions, 2 deletions
diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb
index 3794585ce35..9f085e32776 100644
--- a/app/controllers/projects/issues_controller.rb
+++ b/app/controllers/projects/issues_controller.rb
@@ -126,7 +126,7 @@ class Projects::IssuesController < Projects::ApplicationController
       end
 
       format.json do
-        render json: @issue.to_json(include: { milestone: {}, assignee: { methods: :avatar_url }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short])
+        render json: @issue.to_json(include: { milestone: {}, assignee: { only: [:name, :username], methods: [:avatar_url] }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short])
       end
     end
 
diff --git a/app/controllers/projects/merge_requests_controller.rb b/app/controllers/projects/merge_requests_controller.rb
index fbad66c5c40..5b1b4d19488 100644
--- a/app/controllers/projects/merge_requests_controller.rb
+++ b/app/controllers/projects/merge_requests_controller.rb
@@ -288,7 +288,7 @@ class Projects::MergeRequestsController < Projects::ApplicationController
                        @merge_request.target_project, @merge_request])
         end
         format.json do
-          render json: @merge_request.to_json(include: { milestone: {}, assignee: { methods: :avatar_url }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short])
+          render json: @merge_request.to_json(include: { milestone: {}, assignee: { only: [:name, :username], methods: [:avatar_url] }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short])
         end
       end
     else
diff --git a/spec/controllers/projects/issues_controller_spec.rb b/spec/controllers/projects/issues_controller_spec.rb
index ea70d518e9b..5a26c18fa3a 100644
--- a/spec/controllers/projects/issues_controller_spec.rb
+++ b/spec/controllers/projects/issues_controller_spec.rb
@@ -123,6 +123,29 @@ describe Projects::IssuesController do
   end
 
   describe 'PUT #update' do
+    before do
+      sign_in(user)
+      project.team << [user, :developer]
+    end
+
+    context 'changing the assignee' do
+      it 'limits the attributes exposed on the assignee' do
+        assignee = create(:user)
+        project.add_developer(assignee)
+
+        put :update,
+          namespace_id: project.namespace.to_param,
+          project_id: project,
+          id: issue.iid,
+          issue: { assignee_id: assignee.id },
+          format: :json
+        body = JSON.parse(response.body)
+
+        expect(body['assignee'].keys)
+          .to match_array(%w(name username avatar_url))
+      end
+    end
+
     context 'when moving issue to another private project' do
       let(:another_project) { create(:empty_project, :private) }
 
diff --git a/spec/controllers/projects/merge_requests_controller_spec.rb b/spec/controllers/projects/merge_requests_controller_spec.rb
index 63780802cfa..cd6385fab61 100644
--- a/spec/controllers/projects/merge_requests_controller_spec.rb
+++ b/spec/controllers/projects/merge_requests_controller_spec.rb
@@ -197,6 +197,24 @@ describe Projects::MergeRequestsController do
   end
 
   describe 'PUT update' do
+    context 'changing the assignee' do
+      it 'limits the attributes exposed on the assignee' do
+        assignee = create(:user)
+        project.add_developer(assignee)
+
+        put :update,
+          namespace_id: project.namespace.to_param,
+          project_id: project,
+          id: merge_request.iid,
+          merge_request: { assignee_id: assignee.id },
+          format: :json
+        body = JSON.parse(response.body)
+
+        expect(body['assignee'].keys)
+          .to match_array(%w(name username avatar_url))
+      end
+    end
+
     context 'there is no source project' do
       let(:project)       { create(:project) }
       let(:fork_project)  { create(:forked_project_with_submodules) }
author	DJ Mountney <dj@gitlab.com>	2017-03-18 04:23:15 +0000
committer	Ruben Davila <rdavila84@gmail.com>	2017-03-18 13:54:55 -0500
commit	a70346fc6530aa28a98e4aa4cf0f40e2c3bcef6b (patch)
tree	a9c1417fb3decbcb863edfb08530bd346dca591d
parent	f71103dfca9787a0bc01b67c0069eb7bfcb5bbe6 (diff)
download	gitlab-ce-a70346fc6530aa28a98e4aa4cf0f40e2c3bcef6b.tar.gz