Merge branch 'security-makrdown-release-description-vulnerability' into 'master'

[master] Markdown of release notes leaks confidential issue titles and MR titles to any users

See merge request gitlab/gitlabhq!2869

1 files changed, 3 insertions, 1 deletions

diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index 9f1394571d8..a1f0efa3c68 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -1116,7 +1116,9 @@ module API
 
     class Release < TagRelease
       expose :name
-      expose :description_html
+      expose :description_html do |entity|
+        MarkupHelper.markdown_field(entity, :description)
+      end
       expose :created_at
       expose :author, using: Entities::UserBasic, if: -> (release, _) { release.author.present? }
       expose :commit, using: Entities::Commit