Merge branch 'security-osw-user-info-leak-discussions' into 'master'

[security - master] Filter user sensitive data from discussions JSON

See merge request gitlab/gitlabhq!2536

app/serializers/discussion_entity.rb

@@ -27,7 +27,7 @@ class DiscussionEntity < Grape::Entity
 
   expose :resolved?, as: :resolved
   expose :resolved_by_push?, as: :resolved_by_push
-  expose :resolved_by
+  expose :resolved_by, using: NoteUserEntity
   expose :resolved_at
   expose :resolve_path, if: -> (d, _) { d.resolvable? } do |discussion|
     resolve_project_merge_request_discussion_path(discussion.project, discussion.noteable, discussion.id)

changelogs/unreleased/security-osw-user-info-leak-discussions.yml

+---
+title: Filter user sensitive data from discussions JSON
+merge_request: 2536
+author:
+type: security

spec/fixtures/api/schemas/entities/note_user_entity.json

+{
+  "type": "object",
+  "required": [
+    "id",
+    "state",
+    "avatar_url",
+    "path",
+    "name",
+    "username"
+  ],
+  "properties": {
+    "id": { "type": "integer" },
+    "state": { "type": "string" },
+    "avatar_url": { "type": "string" },
+    "path": { "type": "string" },
+    "name": { "type": "string" },
+    "username": { "type": "string" },
+    "status_tooltip_html": { "$ref": "../types/nullable_string.json" }
+  },
+  "additionalProperties": false
+}

spec/serializers/discussion_entity_spec.rb

@@ -36,6 +36,13 @@ describe DiscussionEntity do
     )
   end
 
+  it 'resolved_by matches note_user_entity schema' do
+    Notes::ResolveService.new(note.project, user).execute(note)
+
+    expect(subject[:resolved_by].with_indifferent_access)
+      .to match_schema('entities/note_user_entity')
+  end
+
   context 'when is LegacyDiffDiscussion' do
     let(:project) { create(:project) }
     let(:merge_request) { create(:merge_request, source_project: project) }