diff options
| author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-04 16:50:33 +0000 |
|---|---|---|
| committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-04 16:50:53 +0000 |
| commit | c95d304d16f1a71e5a6ec4b66dd49bba345a727a (patch) | |
| tree | f3fa8f93db630eb35a7a7cdcd3309f9393ea8f34 | |
| parent | b02315befcd888f9983e0ce7a4bf1f3accfffd46 (diff) | |
| download | gitlab-ce-c95d304d16f1a71e5a6ec4b66dd49bba345a727a.tar.gz | |
Merge branch 'security-makrdown-release-description-vulnerability-11-7' into 'security-11-7'
[11.7] Markdown of release notes leaks confidential issue titles and MR titles to any users
See merge request gitlab/gitlabhq!2871
(cherry picked from commit f7d842f0521f6d209e1b390c9fb733c8bfe7918f)
f2e331c1 Fix Markdown of release notes
| -rw-r--r-- | lib/api/entities.rb | 4 | ||||
| -rw-r--r-- | spec/requests/api/releases_spec.rb | 25 |
2 files changed, 28 insertions, 1 deletions
diff --git a/lib/api/entities.rb b/lib/api/entities.rb index 829d6fb13d4..5da411b4ece 100644 --- a/lib/api/entities.rb +++ b/lib/api/entities.rb @@ -1109,7 +1109,9 @@ module API class Release < TagRelease expose :name - expose :description_html + expose :description_html do |entity| + MarkupHelper.markdown_field(entity, :description) + end expose :created_at expose :author, using: Entities::UserBasic, if: -> (release, _) { release.author.present? } expose :commit, using: Entities::Commit diff --git a/spec/requests/api/releases_spec.rb b/spec/requests/api/releases_spec.rb index 811e23fb854..1f317971a66 100644 --- a/spec/requests/api/releases_spec.rb +++ b/spec/requests/api/releases_spec.rb @@ -127,6 +127,31 @@ describe API::Releases do .to match_array(release.sources.map(&:url)) end + context "when release description contains confidential issue's link" do + let(:confidential_issue) do + create(:issue, + :confidential, + project: project, + title: 'A vulnerability') + end + + let!(:release) do + create(:release, + project: project, + tag: 'v0.1', + sha: commit.id, + author: maintainer, + description: "This is confidential #{confidential_issue.to_reference}") + end + + it "does not expose confidential issue's title" do + get api("/projects/#{project.id}/releases/v0.1", maintainer) + + expect(json_response['description_html']).to include(confidential_issue.to_reference) + expect(json_response['description_html']).not_to include('A vulnerability') + end + end + context 'when release has link asset' do let!(:link) do create(:release_link, |