summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBob Van Landuyt <bob@gitlab.com>2018-10-05 17:45:51 +0000
committerBob Van Landuyt <bob@gitlab.com>2018-10-05 17:45:51 +0000
commitb82cdf0ec0eb662ffe61ab1b9e9abfb881e0d2a1 (patch)
tree9a8eb16f1114605e31ad6df2de58b1f55adbdd2c
parentaa53ae8aac79420bdc52c2d1c006bab097ac1719 (diff)
parent96faeb330860d8f6c509947e9f683c337ccdb6f8 (diff)
downloadgitlab-ce-b82cdf0ec0eb662ffe61ab1b9e9abfb881e0d2a1.tar.gz
Merge branch 'security-osw-user-info-leak-discussions' into 'master'
[security - master] Filter user sensitive data from discussions JSON See merge request gitlab/gitlabhq!2536
-rw-r--r--app/serializers/discussion_entity.rb2
-rw-r--r--changelogs/unreleased/security-osw-user-info-leak-discussions.yml5
-rw-r--r--spec/fixtures/api/schemas/entities/note_user_entity.json21
-rw-r--r--spec/serializers/discussion_entity_spec.rb7
4 files changed, 34 insertions, 1 deletions
diff --git a/app/serializers/discussion_entity.rb b/app/serializers/discussion_entity.rb
index ebe76c9fcda..b6786a0d597 100644
--- a/app/serializers/discussion_entity.rb
+++ b/app/serializers/discussion_entity.rb
@@ -27,7 +27,7 @@ class DiscussionEntity < Grape::Entity
expose :resolved?, as: :resolved
expose :resolved_by_push?, as: :resolved_by_push
- expose :resolved_by
+ expose :resolved_by, using: NoteUserEntity
expose :resolved_at
expose :resolve_path, if: -> (d, _) { d.resolvable? } do |discussion|
resolve_project_merge_request_discussion_path(discussion.project, discussion.noteable, discussion.id)
diff --git a/changelogs/unreleased/security-osw-user-info-leak-discussions.yml b/changelogs/unreleased/security-osw-user-info-leak-discussions.yml
new file mode 100644
index 00000000000..5acbb80fc3d
--- /dev/null
+++ b/changelogs/unreleased/security-osw-user-info-leak-discussions.yml
@@ -0,0 +1,5 @@
+---
+title: Filter user sensitive data from discussions JSON
+merge_request: 2536
+author:
+type: security
diff --git a/spec/fixtures/api/schemas/entities/note_user_entity.json b/spec/fixtures/api/schemas/entities/note_user_entity.json
new file mode 100644
index 00000000000..9b838054563
--- /dev/null
+++ b/spec/fixtures/api/schemas/entities/note_user_entity.json
@@ -0,0 +1,21 @@
+{
+ "type": "object",
+ "required": [
+ "id",
+ "state",
+ "avatar_url",
+ "path",
+ "name",
+ "username"
+ ],
+ "properties": {
+ "id": { "type": "integer" },
+ "state": { "type": "string" },
+ "avatar_url": { "type": "string" },
+ "path": { "type": "string" },
+ "name": { "type": "string" },
+ "username": { "type": "string" },
+ "status_tooltip_html": { "$ref": "../types/nullable_string.json" }
+ },
+ "additionalProperties": false
+}
diff --git a/spec/serializers/discussion_entity_spec.rb b/spec/serializers/discussion_entity_spec.rb
index 378540a35b6..0590304e832 100644
--- a/spec/serializers/discussion_entity_spec.rb
+++ b/spec/serializers/discussion_entity_spec.rb
@@ -36,6 +36,13 @@ describe DiscussionEntity do
)
end
+ it 'resolved_by matches note_user_entity schema' do
+ Notes::ResolveService.new(note.project, user).execute(note)
+
+ expect(subject[:resolved_by].with_indifferent_access)
+ .to match_schema('entities/note_user_entity')
+ end
+
context 'when is LegacyDiffDiscussion' do
let(:project) { create(:project) }
let(:merge_request) { create(:merge_request, source_project: project) }