Skip to content

G
gitlab-ce
Commit b6a43731 authored by Yorick Peterse's avatar Yorick Peterse
Browse files
Options

Merge branch 'security-makrdown-release-description-vulnerability' into 'master' 

[master] Markdown of release notes leaks confidential issue titles and MR titles to any users

See merge request gitlab/gitlabhq!2869
parents 0f7920ca f942a08d
Hide whitespace changes
Inline Side-by-side
Showing with 28 additions and 1 deletion
lib/api/entities.rb
View file @ b6a43731
......@@ -1116,7 +1116,9 @@ module API
class Release < TagRelease
expose :name
expose :description_html
expose :description_html do |entity|
MarkupHelper.markdown_field(entity, :description)
end
expose :created_at
expose :author, using: Entities::UserBasic, if: -> (release, _) { release.author.present? }
expose :commit, using: Entities::Commit
......
spec/requests/api/releases_spec.rb
View file @ b6a43731
......@@ -127,6 +127,31 @@ describe API::Releases do
.to match_array(release.sources.map(&:url))
end
context "when release description contains confidential issue's link" do
let(:confidential_issue) do
create(:issue,
:confidential,
project: project,
title: 'A vulnerability')
end
let!(:release) do
create(:release,
project: project,
tag: 'v0.1',
sha: commit.id,
author: maintainer,
description: "This is confidential #{confidential_issue.to_reference}")
end
it "does not expose confidential issue's title" do
get api("/projects/#{project.id}/releases/v0.1", maintainer)
expect(json_response['description_html']).to include(confidential_issue.to_reference)
expect(json_response['description_html']).not_to include('A vulnerability')
end
end
context 'when release has link asset' do
let!(:link) do
create(:release_link,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7