Remove sha from project/releases.json
What does this MR do and why?
We consider Release.sha
to be source_code
, so users who don't have access to download code(Guest users) should not be able to see the sha
.
But Projects::ReleasesController
exposes sha
field in the https://gitlab.com/gitlab-org/gitlab/-/releases.json
MR filter uses index.json
endpoint to get the list of releases, but it actually needs only tag
field:
This MR removes the sha
by re-using the existing ReleaseSerializer
instead of releases.to_json
.
This is a security fix, but since it's a severity4 we decided to bypass the security workflow.
See more comments on the code itself.
See #191332 (closed) for more details.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.