Merge remote-tracking branch 'dev/master'

* dev/master: Update CHANGELOG.md for 11.8.3 Update CHANGELOG.md for 11.7.7 Only return `commands_changes` used in frontend

Merge remote-tracking branch 'dev/master'
* dev/master: Update CHANGELOG.md for 11.8.3 Update CHANGELOG.md for 11.7.7 Only return `commands_changes` used in frontend
c7fc0bf5 · Alex Hanselka · fbc49fa3 · d8dfd330 · c7fc0bf5 · c7fc0bf5
Commit c7fc0bf5 authored Mar 20, 2019 by Alex Hanselka
4 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
+## 11.8.3 (2019-03-19)
+### Security (1 change)
+- Remove project serialization in quick actions response.
 ## 11.8.2 (2019-03-13)
 ### Security (1 change)
@@ -264,6 +271,14 @@ entry.
 - Creates mixin to reduce code duplication between CE and EE in graph component.
+## 11.7.7 (2019-03-19)
+### Security (2 changes)
+- Remove project serialization in quick actions response.
+- Fixed ability to see private groups by users not belonging to given group.
 ## 11.7.5 (2019-02-06)
 ### Fixed (8 changes)

--- a/app/controllers/concerns/notes_actions.rb
+++ b/app/controllers/concerns/notes_actions.rb
@@ -48,7 +48,7 @@ module NotesActions
    respond_to do |format|
      format.json do
        json = {
-          commands_changes: @note.commands_changes
+          commands_changes: @note.commands_changes&.slice(:emoji_award, :time_estimate, :spend_time)
        }
        if @note.persisted? && return_discussion?

--- a/changelogs/unreleased/security-2826-fix-project-serialization-in-quick-actions.yml
+++ b/changelogs/unreleased/security-2826-fix-project-serialization-in-quick-actions.yml
+---
+title: Remove project serialization in quick actions response
+merge_request:
+author:
+type: security
--- a/spec/controllers/projects/notes_controller_spec.rb
+++ b/spec/controllers/projects/notes_controller_spec.rb
@@ -413,6 +413,37 @@ describe Projects::NotesController do
        end
      end
    end
+    context 'when creating a note with quick actions' do
+      context 'with commands that return changes' do
+        let(:note_text) { "/award :thumbsup:\n/estimate 1d\n/spend 3h" }
+        it 'includes changes in commands_changes ' do
+          post :create, params: request_params.merge(note: { note: note_text }, format: :json)
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['commands_changes']).to include('emoji_award', 'time_estimate', 'spend_time')
+          expect(json_response['commands_changes']).not_to include('target_project', 'title')
+        end
+      end
+      context 'with commands that do not return changes' do
+        let(:issue) { create(:issue, project: project) }
+        let(:other_project) { create(:project) }
+        let(:note_text) { "/move #{other_project.full_path}\n/title AAA" }
+        before do
+          other_project.add_developer(user)
+        end
+        it 'does not include changes in commands_changes' do
+          post :create, params: request_params.merge(note: { note: note_text }, target_type: 'issue', target_id: issue.id, format: :json)
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['commands_changes']).not_to include('target_project', 'title')
+        end
+      end
+    end
  end
  describe 'PUT update' do