Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
829c9c65
Commit
829c9c65
authored
Sep 19, 2018
by
Brett Walker
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
post_process markdown redered by API
parent
e5d3a75a
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
62 additions
and
5 deletions
+62
-5
app/models/project_services/hipchat_service.rb
app/models/project_services/hipchat_service.rb
+1
-1
changelogs/unreleased/security-bw-confidential-titles-through-markdown-api.yml
.../security-bw-confidential-titles-through-markdown-api.yml
+5
-0
lib/api/markdown.rb
lib/api/markdown.rb
+3
-4
lib/banzai.rb
lib/banzai.rb
+7
-0
spec/requests/api/markdown_spec.rb
spec/requests/api/markdown_spec.rb
+46
-0
No files found.
app/models/project_services/hipchat_service.rb
View file @
829c9c65
...
...
@@ -149,7 +149,7 @@ class HipchatService < Service
context
.
merge!
(
options
)
html
=
Banzai
.
post_process
(
Banzai
.
render
(
text
,
context
)
,
context
)
html
=
Banzai
.
render_and_post_process
(
text
,
context
)
sanitized_html
=
sanitize
(
html
,
tags:
HIPCHAT_ALLOWED_TAGS
,
attributes:
%w[href title alt]
)
sanitized_html
.
truncate
(
200
,
separator:
' '
,
omission:
'...'
)
...
...
changelogs/unreleased/security-bw-confidential-titles-through-markdown-api.yml
0 → 100644
View file @
829c9c65
---
title
:
Markdown API no longer displays confidential title references unless authorized
merge_request
:
author
:
type
:
security
lib/api/markdown.rb
View file @
829c9c65
...
...
@@ -10,7 +10,8 @@ module API
detail
"This feature was introduced in GitLab 11.0."
end
post
do
context
=
{
only_path:
false
}
context
=
{
only_path:
false
,
current_user:
current_user
}
context
[
:pipeline
]
=
params
[
:gfm
]
?
:full
:
:plain_markdown
if
params
[
:project
]
project
=
Project
.
find_by_full_path
(
params
[
:project
])
...
...
@@ -22,9 +23,7 @@ module API
context
[
:skip_project_check
]
=
true
end
context
[
:pipeline
]
=
params
[
:gfm
]
?
:full
:
:plain_markdown
{
html:
Banzai
.
render
(
params
[
:text
],
context
)
}
{
html:
Banzai
.
render_and_post_process
(
params
[
:text
],
context
)
}
end
end
end
...
...
lib/banzai.rb
View file @
829c9c65
module
Banzai
# if you need to render markdown, then you probably need to post_process as well,
# such as removing references that the current user doesn't have
# permission to make
def
self
.
render_and_post_process
(
text
,
context
=
{})
post_process
(
render
(
text
,
context
),
context
)
end
def
self
.
render
(
text
,
context
=
{})
Renderer
.
render
(
text
,
context
)
end
...
...
spec/requests/api/markdown_spec.rb
View file @
829c9c65
...
...
@@ -106,6 +106,52 @@ describe API::Markdown do
.
and
include
(
"#1</a>"
)
end
end
context
'with a public project and confidential issue'
do
let
(
:public_project
)
{
create
(
:project
,
:public
)
}
let
(
:confidential_issue
)
{
create
(
:issue
,
:confidential
,
project:
public_project
,
title:
'Confidential title'
)
}
let
(
:text
)
{
":tada: Hello world! :100:
#{
confidential_issue
.
to_reference
}
"
}
let
(
:params
)
{
{
text:
text
,
gfm:
true
,
project:
public_project
.
full_path
}
}
shared_examples
'user without proper access'
do
it
'does not render the title or link'
do
expect
(
response
).
to
have_http_status
(
201
)
expect
(
json_response
[
"html"
]).
not_to
include
(
'Confidential title'
)
expect
(
json_response
[
"html"
]).
not_to
include
(
'<a href='
)
expect
(
json_response
[
"html"
]).
to
include
(
'Hello world!'
)
.
and
include
(
'data-name="tada"'
)
.
and
include
(
'data-name="100"'
)
.
and
include
(
'#1</p>'
)
end
end
context
'when not logged in'
do
let
(
:user
)
{
}
it_behaves_like
'user without proper access'
end
context
'when logged in as user without access'
do
let
(
:user
)
{
create
(
:user
)
}
it_behaves_like
'user without proper access'
end
context
'when logged in as author'
do
let
(
:user
)
{
confidential_issue
.
author
}
it
'renders the title or link'
do
expect
(
response
).
to
have_http_status
(
201
)
expect
(
json_response
[
"html"
]).
to
include
(
'Confidential title'
)
expect
(
json_response
[
"html"
]).
to
include
(
'Hello world!'
)
.
and
include
(
'data-name="tada"'
)
.
and
include
(
'data-name="100"'
)
.
and
include
(
"<a href=
\"
#{
IssuesHelper
.
url_for_issue
(
confidential_issue
.
iid
,
public_project
)
}
\"
"
)
.
and
include
(
"#1</a>"
)
end
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment