diff options
author | Bob Van Landuyt <bob@gitlab.com> | 2018-10-05 17:45:51 +0000 |
---|---|---|
committer | Bob Van Landuyt <bob@gitlab.com> | 2018-10-05 17:45:51 +0000 |
commit | b82cdf0ec0eb662ffe61ab1b9e9abfb881e0d2a1 (patch) | |
tree | 9a8eb16f1114605e31ad6df2de58b1f55adbdd2c | |
parent | aa53ae8aac79420bdc52c2d1c006bab097ac1719 (diff) | |
parent | 96faeb330860d8f6c509947e9f683c337ccdb6f8 (diff) | |
download | gitlab-ce-b82cdf0ec0eb662ffe61ab1b9e9abfb881e0d2a1.tar.gz |
Merge branch 'security-osw-user-info-leak-discussions' into 'master'
[security - master] Filter user sensitive data from discussions JSON
See merge request gitlab/gitlabhq!2536
4 files changed, 34 insertions, 1 deletions
diff --git a/app/serializers/discussion_entity.rb b/app/serializers/discussion_entity.rb index ebe76c9fcda..b6786a0d597 100644 --- a/app/serializers/discussion_entity.rb +++ b/app/serializers/discussion_entity.rb @@ -27,7 +27,7 @@ class DiscussionEntity < Grape::Entity expose :resolved?, as: :resolved expose :resolved_by_push?, as: :resolved_by_push - expose :resolved_by + expose :resolved_by, using: NoteUserEntity expose :resolved_at expose :resolve_path, if: -> (d, _) { d.resolvable? } do |discussion| resolve_project_merge_request_discussion_path(discussion.project, discussion.noteable, discussion.id) diff --git a/changelogs/unreleased/security-osw-user-info-leak-discussions.yml b/changelogs/unreleased/security-osw-user-info-leak-discussions.yml new file mode 100644 index 00000000000..5acbb80fc3d --- /dev/null +++ b/changelogs/unreleased/security-osw-user-info-leak-discussions.yml @@ -0,0 +1,5 @@ +--- +title: Filter user sensitive data from discussions JSON +merge_request: 2536 +author: +type: security diff --git a/spec/fixtures/api/schemas/entities/note_user_entity.json b/spec/fixtures/api/schemas/entities/note_user_entity.json new file mode 100644 index 00000000000..9b838054563 --- /dev/null +++ b/spec/fixtures/api/schemas/entities/note_user_entity.json @@ -0,0 +1,21 @@ +{ + "type": "object", + "required": [ + "id", + "state", + "avatar_url", + "path", + "name", + "username" + ], + "properties": { + "id": { "type": "integer" }, + "state": { "type": "string" }, + "avatar_url": { "type": "string" }, + "path": { "type": "string" }, + "name": { "type": "string" }, + "username": { "type": "string" }, + "status_tooltip_html": { "$ref": "../types/nullable_string.json" } + }, + "additionalProperties": false +} diff --git a/spec/serializers/discussion_entity_spec.rb b/spec/serializers/discussion_entity_spec.rb index 378540a35b6..0590304e832 100644 --- a/spec/serializers/discussion_entity_spec.rb +++ b/spec/serializers/discussion_entity_spec.rb @@ -36,6 +36,13 @@ describe DiscussionEntity do ) end + it 'resolved_by matches note_user_entity schema' do + Notes::ResolveService.new(note.project, user).execute(note) + + expect(subject[:resolved_by].with_indifferent_access) + .to match_schema('entities/note_user_entity') + end + context 'when is LegacyDiffDiscussion' do let(:project) { create(:project) } let(:merge_request) { create(:merge_request, source_project: project) } |