Remove sha from project/releases.json (!86233) · Merge requests · GitLab.org / GitLab

Vladimir Shushlin requested to merge remove-sha-from-releases-json into master Apr 29, 2022

What does this MR do and why?

We consider Release.sha to be source_code, so users who don't have access to download code(Guest users) should not be able to see the sha.

But Projects::ReleasesController exposes sha field in the https://gitlab.com/gitlab-org/gitlab/-/releases.json

MR filter uses index.json endpoint to get the list of releases, but it actually needs only tag field:

MR filter screenshot

This MR removes the sha by re-using the existing ReleaseSerializer instead of releases.to_json.

This is a security fix, but since it's a severity4 we decided to bypass the security workflow.

See more comments on the code itself.

See #191332 (closed) for more details.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Remove sha from project/releases.json

What does this MR do and why?

MR acceptance checklist

Merge request reports