Automatic merge of gitlab-org/gitlab-ce master

8435cf31 · GitLab Bot · 48063e7b · c7fc0bf5 · 8435cf31 · 8435cf31
Commit 8435cf31 authored Mar 20, 2019 by GitLab Bot
4 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.

+## 11.8.3 (2019-03-19)
+
+### Security (1 change)
+
+- Remove project serialization in quick actions response.
+
+
 ## 11.8.2 (2019-03-13)

 ### Security (1 change)

--- a/app/controllers/concerns/notes_actions.rb
+++ b/app/controllers/concerns/notes_actions.rb
@@ -48,7 +48,7 @@ module NotesActions
    respond_to do |format|
      format.json do
        json = {
-          commands_changes: @note.commands_changes
+          commands_changes: @note.commands_changes&.slice(:emoji_award, :time_estimate, :spend_time)
        }

        if @note.persisted? && return_discussion?

--- a/changelogs/unreleased/security-2826-fix-project-serialization-in-quick-actions.yml
+++ b/changelogs/unreleased/security-2826-fix-project-serialization-in-quick-actions.yml
+---
+title: Remove project serialization in quick actions response
+merge_request:
+author:
+type: security
--- a/spec/controllers/projects/notes_controller_spec.rb
+++ b/spec/controllers/projects/notes_controller_spec.rb
@@ -413,6 +413,37 @@ describe Projects::NotesController do
        end
      end
    end
+
+    context 'when creating a note with quick actions' do
+      context 'with commands that return changes' do
+        let(:note_text) { "/award :thumbsup:\n/estimate 1d\n/spend 3h" }
+
+        it 'includes changes in commands_changes ' do
+          post :create, params: request_params.merge(note: { note: note_text }, format: :json)
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['commands_changes']).to include('emoji_award', 'time_estimate', 'spend_time')
+          expect(json_response['commands_changes']).not_to include('target_project', 'title')
+        end
+      end
+
+      context 'with commands that do not return changes' do
+        let(:issue) { create(:issue, project: project) }
+        let(:other_project) { create(:project) }
+        let(:note_text) { "/move #{other_project.full_path}\n/title AAA" }
+
+        before do
+          other_project.add_developer(user)
+        end
+
+        it 'does not include changes in commands_changes' do
+          post :create, params: request_params.merge(note: { note: note_text }, target_type: 'issue', target_id: issue.id, format: :json)
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['commands_changes']).not_to include('target_project', 'title')
+        end
+      end
+    end
  end

  describe 'PUT update' do