diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-06 12:03:21 +0000 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-06 12:03:21 +0000 |
commit | b6a437313d9869836417dfafb84b62077873fbe0 (patch) | |
tree | 8c1e82892dc0d87529441cafebf7a5265fa79475 /lib | |
parent | 0f7920cace3e3a6948593737a658265533315361 (diff) | |
parent | f942a08d23923afc7c99d750922ff61018cbcbf8 (diff) | |
download | gitlab-ce-b6a437313d9869836417dfafb84b62077873fbe0.tar.gz |
Merge branch 'security-makrdown-release-description-vulnerability' into 'master'
[master] Markdown of release notes leaks confidential issue titles and MR titles to any users
See merge request gitlab/gitlabhq!2869
Diffstat (limited to 'lib')
-rw-r--r-- | lib/api/entities.rb | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/api/entities.rb b/lib/api/entities.rb index 9f1394571d8..a1f0efa3c68 100644 --- a/lib/api/entities.rb +++ b/lib/api/entities.rb @@ -1116,7 +1116,9 @@ module API class Release < TagRelease expose :name - expose :description_html + expose :description_html do |entity| + MarkupHelper.markdown_field(entity, :description) + end expose :created_at expose :author, using: Entities::UserBasic, if: -> (release, _) { release.author.present? } expose :commit, using: Entities::Commit |