diff options
| author | Stan Hu <stan@gitlab.com> | 2018-01-06 09:18:13 +0300 |
|---|---|---|
| committer | Stan Hu <stanhu@gmail.com> | 2018-01-17 04:04:38 +0300 |
| commit | 0424801ec8854167d17c76b68e6ae8c5b5a6a52a (patch) | |
| tree | 460bdd4d717df4dc8b08106d0f48a00cbf0ec4f1 /lib | |
| parent | 3228ac06a019c9126b965ff32e354d10011a4f76 (diff) | |
Merge branch 'security-10-3-do-not-expose-passwords-or-tokens-in-service-integrations-api' into 'security-10-3'
Filter out sensitive fields from the project services API
See merge request gitlab/gitlabhq!2281
(cherry picked from commit 476f2576444632f2a9a61b4cead9c1077f2c81d7)
2bcbbda0 Filter out sensitive fields from the project services API
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/api/entities.rb | 5 | ||||
| -rw-r--r-- | lib/api/services.rb | 2 | ||||
| -rw-r--r-- | lib/api/v3/entities.rb | 5 | ||||
| -rw-r--r-- | lib/api/v3/services.rb | 2 |
4 files changed, 4 insertions, 10 deletions
diff --git a/lib/api/entities.rb b/lib/api/entities.rb index c4ef2c74658..9618d6625bb 100644 --- a/lib/api/entities.rb +++ b/lib/api/entities.rb @@ -714,10 +714,7 @@ module API expose :job_events # Expose serialized properties expose :properties do |service, options| - field_names = service.fields - .select { |field| options[:include_passwords] || field[:type] != 'password' } - .map { |field| field[:name] } - service.properties.slice(*field_names) + service.properties.slice(*service.api_field_names) end end diff --git a/lib/api/services.rb b/lib/api/services.rb index a7f44e2869c..51e33e2c686 100644 --- a/lib/api/services.rb +++ b/lib/api/services.rb @@ -785,7 +785,7 @@ module API service_params = declared_params(include_missing: false).merge(active: true) if service.update_attributes(service_params) - present service, with: Entities::ProjectService, include_passwords: current_user.admin? + present service, with: Entities::ProjectService else render_api_error!('400 Bad Request', 400) end diff --git a/lib/api/v3/entities.rb b/lib/api/v3/entities.rb index 64758dae7d3..2ccbb9da1c5 100644 --- a/lib/api/v3/entities.rb +++ b/lib/api/v3/entities.rb @@ -257,10 +257,7 @@ module API expose :job_events, as: :build_events # Expose serialized properties expose :properties do |service, options| - field_names = service.fields - .select { |field| options[:include_passwords] || field[:type] != 'password' } - .map { |field| field[:name] } - service.properties.slice(*field_names) + service.properties.slice(*service.api_field_names) end end diff --git a/lib/api/v3/services.rb b/lib/api/v3/services.rb index 44ed94d2869..20ca1021c71 100644 --- a/lib/api/v3/services.rb +++ b/lib/api/v3/services.rb @@ -622,7 +622,7 @@ module API end get ":id/services/:service_slug" do service = user_project.find_or_initialize_service(params[:service_slug].underscore) - present service, with: Entities::ProjectService, include_passwords: current_user.admin? + present service, with: Entities::ProjectService end end |