Redact unsubscribe links in issuable texts

It's possible that user pastes accidentally also unsubscribe link which is included in footer of notification emails. This unsubscribe link contains personal token which attacker then use to act as the original user (e.g. for sending comments under his/her identity).
author: Jan Provaznik <jprovaznik@gitlab.com> 2018-09-20 16:14:46 +0200
committer: Jan Provaznik <jprovaznik@gitlab.com> 2018-10-23 21:20:20 +0200
commit: c1c1496405620d99d5943b1c4b5277b4b7d6ad63 (patch)
tree: ef22eddee4707eb87edc6abe64f8451fbf24e919 /app/models/concerns/issuable.rb
parent: ee40dc3a7f1c3f11fad2fde3be17e4ddd5d87585 (diff)
download: gitlab-ce-c1c1496405620d99d5943b1c4b5277b4b7d6ad63.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/app/models/concerns/issuable.rb b/app/models/concerns/issuable.rb
index 2aa52bbaeea..a808f9ad4ad 100644
--- a/app/models/concerns/issuable.rb
+++ b/app/models/concerns/issuable.rb
@@ -9,6 +9,7 @@
 module Issuable
   extend ActiveSupport::Concern
   include Gitlab::SQL::Pattern
+  include Redactable
   include CacheMarkdownField
   include Participable
   include Mentionable
@@ -32,6 +33,8 @@ module Issuable
     cache_markdown_field :title, pipeline: :single_line
     cache_markdown_field :description, issuable_state_filter_enabled: true
 
+    redact_field :description
+
     belongs_to :author, class_name: "User"
     belongs_to :updated_by, class_name: "User"
     belongs_to :last_edited_by, class_name: 'User'
author	Jan Provaznik <jprovaznik@gitlab.com>	2018-09-20 16:14:46 +0200
committer	Jan Provaznik <jprovaznik@gitlab.com>	2018-10-23 21:20:20 +0200
commit	c1c1496405620d99d5943b1c4b5277b4b7d6ad63 (patch)
tree	ef22eddee4707eb87edc6abe64f8451fbf24e919 /app/models/concerns/issuable.rb
parent	ee40dc3a7f1c3f11fad2fde3be17e4ddd5d87585 (diff)
download	gitlab-ce-c1c1496405620d99d5943b1c4b5277b4b7d6ad63.tar.gz