SECURITY: do not include links from whispers in topic summary map

https://meta.discourse.org/t/staff-whispers-links-in-whispers-showing-up-publicly-in-topics-summary/69134?u=techapj

app/models/topic_link.rb

@@ -103,7 +103,7 @@ SQL
 
   # Extract any urls in body
   def self.extract_from(post)
-    return unless post.present?
+    return unless post.present? && !post.whisper?
 
     added_urls = []
     TopicLink.transaction do

db/migrate/20170831180419_remove_whisper_topic_links.rb

@@ -0,0 +1,11 @@
+class RemoveWhisperTopicLinks < ActiveRecord::Migration
+  def change
+    execute <<-SQL
+      DELETE FROM topic_links
+       USING topic_links tl
+   LEFT JOIN posts p ON p.id = tl.post_id
+       WHERE p.post_type = 4
+         AND topic_links.id = tl.id
+    SQL
+  end
+end

spec/models/topic_link_spec.rb

@@ -331,6 +331,13 @@ http://b.com/#{'a'*500}
         expect(TopicLink.counts_for(Guardian.new(admin), post.topic, [post]).length).to eq(1)
       end
 
+      it 'does not include links from whisper' do
+        url = "https://blog.codinghorror.com/hacker-hack-thyself/"
+        post = Fabricate(:post, raw: "whisper post... #{url}", post_type: Post.types[:whisper])
+        TopicLink.extract_from(post)
+
+        expect(TopicLink.topic_map(Guardian.new, post.topic_id).count).to eq(0)
+      end
     end
 
     describe ".duplicate_lookup" do