diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2019-12-31 09:55:45 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2019-12-31 09:55:45 +0000 |
commit | 8a97772aca25cb233778ce99c487c674c86ba2fd (patch) | |
tree | 4bbb2614385ca3cf88c166a5faaf0679cf97f7db /lib | |
parent | 5bc8aa03f1ac7ff5a20ae77e8f62631370a52d1a (diff) | |
download | gitlab-ce-8a97772aca25cb233778ce99c487c674c86ba2fd.tar.gz |
Add latest changes from gitlab-org/security/gitlab@12-6-stable-ee
Diffstat (limited to 'lib')
-rw-r--r-- | lib/api/entities.rb | 6 | ||||
-rw-r--r-- | lib/banzai/filter/relative_link_filter.rb | 12 |
2 files changed, 14 insertions, 4 deletions
diff --git a/lib/api/entities.rb b/lib/api/entities.rb index cc95be5e3be..76963777566 100644 --- a/lib/api/entities.rb +++ b/lib/api/entities.rb @@ -1336,7 +1336,7 @@ module API expose :author, using: Entities::UserBasic, if: -> (release, _) { release.author.present? } expose :commit, using: Entities::Commit, if: ->(_, _) { can_download_code? } expose :upcoming_release?, as: :upcoming_release - expose :milestones, using: Entities::Milestone, if: -> (release, _) { release.milestones.present? } + expose :milestones, using: Entities::Milestone, if: -> (release, _) { release.milestones.present? && can_read_milestone? } expose :commit_path, expose_nil: false expose :tag_path, expose_nil: false expose :evidence_sha, expose_nil: false, if: ->(_, _) { can_download_code? } @@ -1362,6 +1362,10 @@ module API def can_download_code? Ability.allowed?(options[:current_user], :download_code, object.project) end + + def can_read_milestone? + Ability.allowed?(options[:current_user], :read_milestone, object.project) + end end class Tag < Grape::Entity diff --git a/lib/banzai/filter/relative_link_filter.rb b/lib/banzai/filter/relative_link_filter.rb index 583b0081319..4f257189f8e 100644 --- a/lib/banzai/filter/relative_link_filter.rb +++ b/lib/banzai/filter/relative_link_filter.rb @@ -116,7 +116,7 @@ module Banzai end def process_link_to_upload_attr(html_attr) - path_parts = [Addressable::URI.unescape(html_attr.value)] + path_parts = [unescape_and_scrub_uri(html_attr.value)] if project path_parts.unshift(relative_url_root, project.full_path) @@ -172,7 +172,7 @@ module Banzai end def cleaned_file_path(uri) - Addressable::URI.unescape(uri.path).scrub.delete("\0").chomp("/") + unescape_and_scrub_uri(uri.path).delete("\0").chomp("/") end def relative_file_path(uri) @@ -184,7 +184,7 @@ module Banzai def request_path return unless context[:requested_path] - Addressable::URI.unescape(context[:requested_path]).chomp("/") + unescape_and_scrub_uri(context[:requested_path]).chomp("/") end # Convert a relative path into its correct location based on the currently @@ -266,6 +266,12 @@ module Banzai def repository @repository ||= project&.repository end + + private + + def unescape_and_scrub_uri(uri) + Addressable::URI.unescape(uri).scrub + end end end end |