From 719b81d310b67f1ab9543b2da5881560e6927470 Mon Sep 17 00:00:00 2001 From: Heinrich Lee Yu Date: Fri, 15 Mar 2019 08:07:52 +0800 Subject: [PATCH 1/3] Only return `commands_changes` used in frontend When executing quick actions, this limits the `commands_changes` response to only those used by the frontend --- app/controllers/concerns/notes_actions.rb | 2 +- ...project-serialization-in-quick-actions.yml | 5 +++ .../projects/notes_controller_spec.rb | 31 +++++++++++++++++++ 3 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 changelogs/unreleased/security-2826-fix-project-serialization-in-quick-actions.yml diff --git a/app/controllers/concerns/notes_actions.rb b/app/controllers/concerns/notes_actions.rb index 0319948a12f..80b9bdc8f24 100644 --- a/app/controllers/concerns/notes_actions.rb +++ b/app/controllers/concerns/notes_actions.rb @@ -54,7 +54,7 @@ module NotesActions respond_to do |format| format.json do json = { - commands_changes: @note.commands_changes + commands_changes: @note.commands_changes&.slice(:emoji_award, :time_estimate, :spend_time) } if @note.persisted? && return_discussion? diff --git a/changelogs/unreleased/security-2826-fix-project-serialization-in-quick-actions.yml b/changelogs/unreleased/security-2826-fix-project-serialization-in-quick-actions.yml new file mode 100644 index 00000000000..272f8a95957 --- /dev/null +++ b/changelogs/unreleased/security-2826-fix-project-serialization-in-quick-actions.yml @@ -0,0 +1,5 @@ +--- +title: Remove project serialization in quick actions response +merge_request: +author: +type: security diff --git a/spec/controllers/projects/notes_controller_spec.rb b/spec/controllers/projects/notes_controller_spec.rb index 81892575889..ec91a760388 100644 --- a/spec/controllers/projects/notes_controller_spec.rb +++ b/spec/controllers/projects/notes_controller_spec.rb @@ -397,6 +397,37 @@ describe Projects::NotesController do end end end + + context 'when creating a note with quick actions' do + context 'with commands that return changes' do + let(:note_text) { "/award :thumbsup:\n/estimate 1d\n/spend 3h" } + + it 'includes changes in commands_changes ' do + post :create, params: request_params.merge(note: { note: note_text }, format: :json) + + expect(response).to have_gitlab_http_status(200) + expect(json_response['commands_changes']).to include('emoji_award', 'time_estimate', 'spend_time') + expect(json_response['commands_changes']).not_to include('target_project', 'title') + end + end + + context 'with commands that do not return changes' do + let(:issue) { create(:issue, project: project) } + let(:other_project) { create(:project) } + let(:note_text) { "/move #{other_project.full_path}\n/title AAA" } + + before do + other_project.add_developer(user) + end + + it 'does not include changes in commands_changes' do + post :create, params: request_params.merge(note: { note: note_text }, target_type: 'issue', target_id: issue.id, format: :json) + + expect(response).to have_gitlab_http_status(200) + expect(json_response['commands_changes']).not_to include('target_project', 'title') + end + end + end end describe 'PUT update' do -- GitLab From b1e13765bfee176716fea3cf52d39d8d1f9d6de7 Mon Sep 17 00:00:00 2001 From: GitLab Release Tools Bot Date: Tue, 19 Mar 2019 16:00:02 +0000 Subject: [PATCH 2/3] Update CHANGELOG.md for 11.8.3 [ci skip] --- CHANGELOG.md | 7 +++++++ ...ity-2826-fix-project-serialization-in-quick-actions.yml | 5 ----- 2 files changed, 7 insertions(+), 5 deletions(-) delete mode 100644 changelogs/unreleased/security-2826-fix-project-serialization-in-quick-actions.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index ef2ce0ab529..7e54cb1ccee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 11.8.3 (2019-03-19) + +### Security (1 change) + +- Remove project serialization in quick actions response. + + ## 11.8.2 (2019-03-13) ### Security (1 change) diff --git a/changelogs/unreleased/security-2826-fix-project-serialization-in-quick-actions.yml b/changelogs/unreleased/security-2826-fix-project-serialization-in-quick-actions.yml deleted file mode 100644 index 272f8a95957..00000000000 --- a/changelogs/unreleased/security-2826-fix-project-serialization-in-quick-actions.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Remove project serialization in quick actions response -merge_request: -author: -type: security -- GitLab From 3f8131133bf6310a7fc05d7a332b4560edb456ef Mon Sep 17 00:00:00 2001 From: GitLab Release Tools Bot Date: Tue, 19 Mar 2019 16:01:08 +0000 Subject: [PATCH 3/3] Update VERSION to 11.8.3 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 95da6166f2a..6cf2801b8f6 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -11.8.2 +11.8.3 -- GitLab