Merge branch 'security-bw-confidential-titles-through-markdown-api-11-2' into 'security-11-2'

[11.2] Confidential issue/private snippet titles can be read by unauthenticated user through GFM markdown API See merge request gitlab/gitlabhq!2534
author: Bob Van Landuyt <bob@gitlab.com> 2018-10-04 19:28:54 +0300
committer: Bob Van Landuyt <bob@vanlanduyt.co> 2018-10-04 19:30:49 +0300
commit: 8344c4ec326cc3026db23c5484e33766310063c3 (patch)
tree: 69d5a01904392cdd033864e8691bc928f7481fa6 /lib/api
parent: bcf3ab7cabde73cae6793c70db849d5c91489b4f (diff)
1 files changed, 3 insertions, 4 deletions
diff --git a/lib/api/markdown.rb b/lib/api/markdown.rb
index 5d55224c1a7..09a8c34c5c0 100644
--- a/lib/api/markdown.rb
+++ b/lib/api/markdown.rb
@@ -10,7 +10,8 @@ module API
         detail "This feature was introduced in GitLab 11.0."
       end
       post do
-        context = { only_path: false }
+        context = { only_path: false, current_user: current_user }
+        context[:pipeline] = params[:gfm] ? :full : :plain_markdown
 
         if params[:project]
           project = Project.find_by_full_path(params[:project])
@@ -22,9 +23,7 @@ module API
           context[:skip_project_check] = true
         end
 
-        context[:pipeline] = params[:gfm] ? :full : :plain_markdown
-
-        { html: Banzai.render(params[:text], context) }
+        { html: Banzai.render_and_post_process(params[:text], context) }
       end
     end
   end
author	Bob Van Landuyt <bob@gitlab.com>	2018-10-04 19:28:54 +0300
committer	Bob Van Landuyt <bob@vanlanduyt.co>	2018-10-04 19:30:49 +0300
commit	8344c4ec326cc3026db23c5484e33766310063c3 (patch)
tree	69d5a01904392cdd033864e8691bc928f7481fa6 /lib/api
parent	bcf3ab7cabde73cae6793c70db849d5c91489b4f (diff)