Commit b82cdf0e authored by Bob Van Landuyt's avatar Bob Van Landuyt

Merge branch 'security-osw-user-info-leak-discussions' into 'master'

[security - master] Filter user sensitive data from discussions JSON

See merge request gitlab/gitlabhq!2536
parents aa53ae8a 96faeb33
...@@ -27,7 +27,7 @@ class DiscussionEntity < Grape::Entity ...@@ -27,7 +27,7 @@ class DiscussionEntity < Grape::Entity
expose :resolved?, as: :resolved expose :resolved?, as: :resolved
expose :resolved_by_push?, as: :resolved_by_push expose :resolved_by_push?, as: :resolved_by_push
expose :resolved_by expose :resolved_by, using: NoteUserEntity
expose :resolved_at expose :resolved_at
expose :resolve_path, if: -> (d, _) { d.resolvable? } do |discussion| expose :resolve_path, if: -> (d, _) { d.resolvable? } do |discussion|
resolve_project_merge_request_discussion_path(discussion.project, discussion.noteable, discussion.id) resolve_project_merge_request_discussion_path(discussion.project, discussion.noteable, discussion.id)
......
---
title: Filter user sensitive data from discussions JSON
merge_request: 2536
author:
type: security
{
"type": "object",
"required": [
"id",
"state",
"avatar_url",
"path",
"name",
"username"
],
"properties": {
"id": { "type": "integer" },
"state": { "type": "string" },
"avatar_url": { "type": "string" },
"path": { "type": "string" },
"name": { "type": "string" },
"username": { "type": "string" },
"status_tooltip_html": { "$ref": "../types/nullable_string.json" }
},
"additionalProperties": false
}
...@@ -36,6 +36,13 @@ describe DiscussionEntity do ...@@ -36,6 +36,13 @@ describe DiscussionEntity do
) )
end end
it 'resolved_by matches note_user_entity schema' do
Notes::ResolveService.new(note.project, user).execute(note)
expect(subject[:resolved_by].with_indifferent_access)
.to match_schema('entities/note_user_entity')
end
context 'when is LegacyDiffDiscussion' do context 'when is LegacyDiffDiscussion' do
let(:project) { create(:project) } let(:project) { create(:project) }
let(:merge_request) { create(:merge_request, source_project: project) } let(:merge_request) { create(:merge_request, source_project: project) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment