diff options
| author | Bob Van Landuyt <bob@gitlab.com> | 2018-10-04 16:28:31 +0000 |
|---|---|---|
| committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-10-04 18:30:16 +0200 |
| commit | 380ec65894852a23a7a45e72b585263a8fbfbb8c (patch) | |
| tree | c03c150a1e40a2937fc5b92d7bf33f5fef9f1315 | |
| parent | cd435dedf2f249e3dca5cc04e37d168725377a2e (diff) | |
| download | gitlab-ce-380ec65894852a23a7a45e72b585263a8fbfbb8c.tar.gz | |
Merge branch 'security-osw-user-info-leak-discussions-11-2' into 'security-11-2'
[11.2] Filter user sensitive data from discussions JSON
See merge request gitlab/gitlabhq!2538
4 files changed, 39 insertions, 1 deletions
diff --git a/app/serializers/discussion_entity.rb b/app/serializers/discussion_entity.rb index b8321037fa5..0e50474fd88 100644 --- a/app/serializers/discussion_entity.rb +++ b/app/serializers/discussion_entity.rb @@ -26,7 +26,7 @@ class DiscussionEntity < Grape::Entity expose :resolved?, as: :resolved expose :resolved_by_push?, as: :resolved_by_push - expose :resolved_by + expose :resolved_by, using: NoteUserEntity expose :resolved_at expose :resolve_path, if: -> (d, _) { d.resolvable? } do |discussion| resolve_project_merge_request_discussion_path(discussion.project, discussion.noteable, discussion.id) diff --git a/changelogs/unreleased/security-osw-user-info-leak-discussions-11-2.yml b/changelogs/unreleased/security-osw-user-info-leak-discussions-11-2.yml new file mode 100644 index 00000000000..2720212aca3 --- /dev/null +++ b/changelogs/unreleased/security-osw-user-info-leak-discussions-11-2.yml @@ -0,0 +1,5 @@ +--- +title: Filter user sensitive data from discussions JSON +merge_request: 2538 +author: +type: security diff --git a/spec/fixtures/api/schemas/entities/note_user_entity.json b/spec/fixtures/api/schemas/entities/note_user_entity.json new file mode 100644 index 00000000000..aab98981dd9 --- /dev/null +++ b/spec/fixtures/api/schemas/entities/note_user_entity.json @@ -0,0 +1,26 @@ +{ + "type": "object", + "required": [ + "id", + "state", + "avatar_url", + "path", + "name", + "username" + ], + "properties": { + "id": { "type": "integer" }, + "state": { "type": "string" }, + "avatar_url": { "type": "string" }, + "path": { "type": "string" }, + "name": { "type": "string" }, + "username": { "type": "string" }, + "status_tooltip_html": { + "oneOf": [ + { "type": "null" }, + { "type": "string" } + ] + } + }, + "additionalProperties": false +} diff --git a/spec/serializers/discussion_entity_spec.rb b/spec/serializers/discussion_entity_spec.rb index 378540a35b6..0590304e832 100644 --- a/spec/serializers/discussion_entity_spec.rb +++ b/spec/serializers/discussion_entity_spec.rb @@ -36,6 +36,13 @@ describe DiscussionEntity do ) end + it 'resolved_by matches note_user_entity schema' do + Notes::ResolveService.new(note.project, user).execute(note) + + expect(subject[:resolved_by].with_indifferent_access) + .to match_schema('entities/note_user_entity') + end + context 'when is LegacyDiffDiscussion' do let(:project) { create(:project) } let(:merge_request) { create(:merge_request, source_project: project) } |