gitlab Debian release 11.8.3-1

-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEsclPZxif+sAmSPvz1N6yL8C5bhUFAlyT3qIACgkQ1N6yL8C5
 bhXi5Q//bdF+ms+S3H2dPNzKb4fbA0UP3nfdHkjhUIcFP2UV4yVibm3uKpEH82W4
 r+LjqtFhQmtbqwNzPZk/xf7+AP6PEcDCck82zK1YEBOJKUuBY+4G4Y7vciOjApwf
 zBPC0E7cXoV9e1j4up01YXeZfugxA3gZUn+rIuwdXct3BFUTYlPaVz/SqGe0KoGu
 DLOjM2Xh7P/HXZiYZeAgBh+TOXlCoKJ8BtKgmiRfjMC+f6OpfCSvtYLkrvZBgYIG
 Tm5DBWMp3J4FPM8apGUrMhAfuBrqBOgV5ah19J5Rs1i01GTDf/pyDOG8awvi20AE
 V3fHKRlLa6Jmlc2iAc++cMSCHeIoMklYjEeCAWnRelnLwOtuA7iwY3smsgBLQMJf
 1c7wTwl6t9WAIWzvLaKNn3b76eDYOJ9eyVJXNseSkuscHFUzmentT/WmxM9+ETxK
 DsjmHHsfGOjAadH1NULGAsIeujYxPIMJBJDv91/iKdZoWjMJRDorNjvhNb7ERXey
 5Da4Gyvi3pzOjJq1pqhBaTnYyC2CWqcIcy9+2uvVFlbnhrHGudPQfF1aAQ9vwK6l
 wPbJ6Tx9j1ZWrCZf5QL/1CcNxACb44IrmYNxqPwSBhrj7pLSnl/BB/hGocKUpNz9
 loCX4kRa1WNNyz6+Psm4N9I3P2gK65+kQtSGufVuxUxF6E890xE=
 =T/42
 -----END PGP SIGNATURE-----

Merge tag 'debian/11.8.3-1' into buster-fasttrack

gitlab Debian release 11.8.3-1

CHANGELOG.md

@@ -2,6 +2,13 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 11.8.3 (2019-03-19)
+
+### Security (1 change)
+
+- Remove project serialization in quick actions response.
+
+
 ## 11.8.2 (2019-03-13)
 
 ### Security (1 change)

VERSION

@@ -1 +1 @@
-11.8.2
+11.8.3

app/controllers/concerns/notes_actions.rb

@@ -54,7 +54,7 @@ module NotesActions
     respond_to do |format|
       format.json do
         json = {
-          commands_changes: @note.commands_changes
+          commands_changes: @note.commands_changes&.slice(:emoji_award, :time_estimate, :spend_time)
         }
 
         if @note.persisted? && return_discussion?

debian/changelog

@@ -1,3 +1,13 @@
+gitlab (11.8.3-1) unstable; urgency=high
+
+  [ Pirate Praveen ]
+  * Set minimum version of git to 2.18
+
+  [ Sruthi Chandran ]
+  * New upstream version 11.8.3 (Closes: #925196) (Fixes: CVE-2019-9866)
+
+ -- Sruthi Chandran <srud@disroot.org>  Fri, 22 Mar 2019 00:19:33 +0530
+
 gitlab (11.8.2-3+fto10+1) buster-fasttrack; urgency=medium
 
   * Rebuild for buster-fasttrack

debian/control

@@ -367,7 +367,7 @@ Architecture: all
 Depends: ${shlibs:Depends}, ${misc:Depends},
  ruby | ruby-interpreter,
  adduser (>= 3.34~),
- git (>= 1:2.7.3~),
+ git (>= 1:2.18~),
  ucf,
  gitlab-shell (>= 8.4.4~)
 Description: git powered software platform to collaborate on code (common)

spec/controllers/projects/notes_controller_spec.rb

@@ -397,6 +397,37 @@ describe Projects::NotesController do
         end
       end
     end
+
+    context 'when creating a note with quick actions' do
+      context 'with commands that return changes' do
+        let(:note_text) { "/award :thumbsup:\n/estimate 1d\n/spend 3h" }
+
+        it 'includes changes in commands_changes ' do
+          post :create, params: request_params.merge(note: { note: note_text }, format: :json)
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['commands_changes']).to include('emoji_award', 'time_estimate', 'spend_time')
+          expect(json_response['commands_changes']).not_to include('target_project', 'title')
+        end
+      end
+
+      context 'with commands that do not return changes' do
+        let(:issue) { create(:issue, project: project) }
+        let(:other_project) { create(:project) }
+        let(:note_text) { "/move #{other_project.full_path}\n/title AAA" }
+
+        before do
+          other_project.add_developer(user)
+        end
+
+        it 'does not include changes in commands_changes' do
+          post :create, params: request_params.merge(note: { note: note_text }, target_type: 'issue', target_id: issue.id, format: :json)
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['commands_changes']).not_to include('target_project', 'title')
+        end
+      end
+    end
   end
 
   describe 'PUT update' do