diff --git a/app/models/concerns/mentionable/reference_regexes.rb b/app/models/concerns/mentionable/reference_regexes.rb index fec31cd262b41dfc2f99ad083d6b6d2622b5fa21..f44a674b3c97911a0d8409ae1388e360f2ceb46a 100644 --- a/app/models/concerns/mentionable/reference_regexes.rb +++ b/app/models/concerns/mentionable/reference_regexes.rb @@ -13,7 +13,9 @@ module Mentionable def self.other_patterns [ Commit.reference_pattern, - MergeRequest.reference_pattern + MergeRequest.reference_pattern, + Label.reference_pattern, + Milestone.reference_pattern ] end diff --git a/app/models/system_note_metadata.rb b/app/models/system_note_metadata.rb index 8ec90ca25d348b88c37fe71ab95fcc7dda51e48c..e47c9081ad373708a14d8a7356b43b09d47821df 100644 --- a/app/models/system_note_metadata.rb +++ b/app/models/system_note_metadata.rb @@ -10,6 +10,7 @@ class SystemNoteMetadata < ApplicationRecord commit cross_reference close duplicate moved merge + label milestone ].freeze ICON_TYPES = %w[ diff --git a/changelogs/unreleased/security-2920-fix-notes-with-label-cross-reference.yml b/changelogs/unreleased/security-2920-fix-notes-with-label-cross-reference.yml new file mode 100644 index 0000000000000000000000000000000000000000..b29014117290fa9eb33582741f6fa0d8ca7037ec --- /dev/null +++ b/changelogs/unreleased/security-2920-fix-notes-with-label-cross-reference.yml @@ -0,0 +1,5 @@ +--- +title: Show cross-referenced label and milestones in issues' activities only to authorized users +merge_request: +author: +type: security diff --git a/spec/models/note_spec.rb b/spec/models/note_spec.rb index 66e3c6d5e9d1c5eb184b4b4c1819f16c53554472..5d65bad4a9122690b620dffed5209cbe8b997ab4 100644 --- a/spec/models/note_spec.rb +++ b/spec/models/note_spec.rb @@ -346,6 +346,63 @@ describe Note do expect(label_note.cross_reference?).to be_falsy end end + + context 'when system note metadata is not present' do + let(:note) { build(:note, :system) } + + before do + allow(note).to receive(:system_note_metadata).and_return(nil) + end + + it 'delegates to the system note service' do + expect(SystemNoteService).to receive(:cross_reference?).with(note.note) + + note.cross_reference? + end + end + + context 'with a system note' do + let(:issue) { create(:issue, project: create(:project, :repository)) } + let(:note) { create(:system_note, note: "test", noteable: issue, project: issue.project) } + + shared_examples 'system_note_metadata includes note action' do + it 'delegates to the cross-reference regex' do + expect(note).to receive(:matches_cross_reference_regex?) + + note.cross_reference? + end + end + + context 'with :label action' do + let!(:metadata) {create(:system_note_metadata, note: note, action: :label)} + + it_behaves_like 'system_note_metadata includes note action' + + it { expect(note.cross_reference?).to be_falsy } + + context 'with cross reference label note' do + let(:label) { create(:label, project: issue.project)} + let(:note) { create(:system_note, note: "added #{label.to_reference} label", noteable: issue, project: issue.project) } + + it { expect(note.cross_reference?).to be_truthy } + end + end + + context 'with :milestone action' do + let!(:metadata) {create(:system_note_metadata, note: note, action: :milestone)} + + it_behaves_like 'system_note_metadata includes note action' + + it { expect(note.cross_reference?).to be_falsy } + + context 'with cross reference milestone note' do + let(:milestone) { create(:milestone, project: issue.project)} + let(:note) { create(:system_note, note: "added #{milestone.to_reference} milestone", noteable: issue, project: issue.project) } + + it { expect(note.cross_reference?).to be_truthy } + end + end + end end describe 'clear_blank_line_code!' do