Commit 7be39a89 authored by DJ Mountney's avatar DJ Mountney Committed by DJ Mountney

Merge branch 'render-json-leak' into 'security'

fix for render json include leaks

See merge request !2074
parent 83a0c398
...@@ -146,7 +146,7 @@ class Projects::IssuesController < Projects::ApplicationController ...@@ -146,7 +146,7 @@ class Projects::IssuesController < Projects::ApplicationController
end end
format.json do format.json do
render json: @issue.to_json(include: { milestone: {}, assignee: { methods: :avatar_url }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short]) render json: @issue.to_json(include: { milestone: {}, assignee: { only: [:name, :username], methods: [:avatar_url] }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short])
end end
end end
......
...@@ -308,7 +308,7 @@ class Projects::MergeRequestsController < Projects::ApplicationController ...@@ -308,7 +308,7 @@ class Projects::MergeRequestsController < Projects::ApplicationController
end end
format.json do format.json do
render json: @merge_request.to_json(include: { milestone: {}, assignee: { methods: :avatar_url }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short]) render json: @merge_request.to_json(include: { milestone: {}, assignee: { only: [:name, :username], methods: [:avatar_url] }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short])
end end
end end
rescue ActiveRecord::StaleObjectError rescue ActiveRecord::StaleObjectError
......
...@@ -141,6 +141,24 @@ describe Projects::IssuesController do ...@@ -141,6 +141,24 @@ describe Projects::IssuesController do
it_behaves_like 'update invalid issuable', Issue it_behaves_like 'update invalid issuable', Issue
context 'changing the assignee' do
it 'limits the attributes exposed on the assignee' do
assignee = create(:user)
project.add_developer(assignee)
put :update,
namespace_id: project.namespace.to_param,
project_id: project,
id: issue.iid,
issue: { assignee_id: assignee.id },
format: :json
body = JSON.parse(response.body)
expect(body['assignee'].keys)
.to match_array(%w(name username avatar_url))
end
end
context 'when moving issue to another private project' do context 'when moving issue to another private project' do
let(:another_project) { create(:empty_project, :private) } let(:another_project) { create(:empty_project, :private) }
......
...@@ -203,6 +203,24 @@ describe Projects::MergeRequestsController do ...@@ -203,6 +203,24 @@ describe Projects::MergeRequestsController do
end end
describe 'PUT update' do describe 'PUT update' do
context 'changing the assignee' do
it 'limits the attributes exposed on the assignee' do
assignee = create(:user)
project.add_developer(assignee)
put :update,
namespace_id: project.namespace.to_param,
project_id: project,
id: merge_request.iid,
merge_request: { assignee_id: assignee.id },
format: :json
body = JSON.parse(response.body)
expect(body['assignee'].keys)
.to match_array(%w(name username avatar_url))
end
end
context 'there is no source project' do context 'there is no source project' do
let(:project) { create(:project) } let(:project) { create(:project) }
let(:fork_project) { create(:forked_project_with_submodules) } let(:fork_project) { create(:forked_project_with_submodules) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment