Limit commands_changes to certain keys

Merge branch 'security-fix-commands-changes' into 'master' See merge request gitlab-org/security/gitlab!2223 Changelog: security

Limit commands_changes to certain keys
Merge branch 'security-fix-commands-changes' into 'master' See merge request gitlab-org/security/gitlab!2223 Changelog: security
ae5a7735 · Heinrich Lee Yu · GitLab Release Tools Bot · b43d9482 · ae5a7735 · ae5a7735
Commit ae5a7735 authored Feb 24, 2022 by Heinrich Lee Yu Committed by GitLab Release Tools Bot Feb 24, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 50 additions and 7 deletions

app/models/note.rb app/models/note.rb +36 -1

spec/models/note_spec.rb spec/models/note_spec.rb +10 -0

spec/requests/api/notes_spec.rb spec/requests/api/notes_spec.rb +4 -6

No files found.
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -50,7 +50,7 @@ class Note < ApplicationRecord
  attr_accessor :user_visible_reference_count

  # Attribute used to store the attributes that have been changed by quick actions.
-  attr_accessor :commands_changes
+  attr_writer :commands_changes

  # Attribute used to determine whether keep_around_commits will be skipped for diff notes.
  attr_accessor :skip_keep_around_commits
@@ -616,6 +616,41 @@ class Note < ApplicationRecord
    change_position.line_range["end"] || change_position.line_range["start"]
  end

+  def commands_changes
+    @commands_changes&.slice(
+      :due_date,
+      :label_ids,
+      :remove_label_ids,
+      :add_label_ids,
+      :canonical_issue_id,
+      :clone_with_notes,
+      :confidential,
+      :create_merge_request,
+      :add_contacts,
+      :remove_contacts,
+      :assignee_ids,
+      :milestone_id,
+      :time_estimate,
+      :spend_time,
+      :discussion_locked,
+      :merge,
+      :rebase,
+      :wip_event,
+      :target_branch,
+      :reviewer_ids,
+      :health_status,
+      :promote_to_epic,
+      :weight,
+      :emoji_award,
+      :todo_event,
+      :subscription_event,
+      :state_event,
+      :title,
+      :tag_message,
+      :tag_name
+    )
+  end
+
  private

  def system_note_viewable_by?(user)

--- a/spec/models/note_spec.rb
+++ b/spec/models/note_spec.rb
@@ -1645,4 +1645,14 @@ RSpec.describe Note do
      end
    end
  end
+
+  describe '#commands_changes' do
+    let(:note) { build(:note) }
+
+    it 'only returns allowed keys' do
+      note.commands_changes = { emoji_award: {}, time_estimate: {}, spend_time: {}, target_project: build(:project) }
+
+      expect(note.commands_changes.keys).to contain_exactly(:emoji_award, :time_estimate, :spend_time)
+    end
+  end
 end
--- a/spec/requests/api/notes_spec.rb
+++ b/spec/requests/api/notes_spec.rb
@@ -233,11 +233,9 @@ RSpec.describe API::Notes do
    subject { post api(request_path, user), params: { body: request_body } }

    context 'a command only note' do
-      let(:assignee) { create(:user) }
-      let(:request_body) { "/assign #{assignee.to_reference}" }
+      let(:request_body) { "/spend 1h" }

      before do
-        project.add_developer(assignee)
        project.add_developer(user)
      end

@@ -256,7 +254,7 @@ RSpec.describe API::Notes do
      end

      it 'applies the commands' do
-        expect { subject }.to change { merge_request.reset.assignees }
+        expect { subject }.to change { merge_request.reset.total_time_spent }
      end

      it 'reports the changes' do
@@ -264,9 +262,9 @@ RSpec.describe API::Notes do

        expect(json_response).to include(
          'commands_changes' => include(
-            'assignee_ids' => [Integer]
+            'spend_time' => include('duration' => 3600)
          ),
-          'summary' => include("Assigned #{assignee.to_reference}.")
+          'summary' => include('Added 1h spent time.')
        )
      end
    end