diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 12:01:26 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 12:01:26 +0000 |
commit | 52444f1043ca345790bc765162caba0a633328a9 (patch) | |
tree | bdcefeb082c0da1c69cd88e1929752fdbb43b0b0 | |
parent | 3d7b56c54620b0ff31a3a455144bf4fef2377c17 (diff) | |
parent | 7aea2c20ce66f212874faa87abc67e0294e66f83 (diff) | |
download | gitlab-ce-52444f1043ca345790bc765162caba0a633328a9.tar.gz |
Merge branch 'security-exclude_ids_attribute_cleaning-12-4-ce' into '12-4-stable'
Ensure attributes that end in `_ids` are cleaned
See merge request gitlab/gitlabhq!3559
3 files changed, 10 insertions, 2 deletions
diff --git a/changelogs/unreleased/security-exclude_ids_attribute_cleaning.yml b/changelogs/unreleased/security-exclude_ids_attribute_cleaning.yml new file mode 100644 index 00000000000..08fc1393f20 --- /dev/null +++ b/changelogs/unreleased/security-exclude_ids_attribute_cleaning.yml @@ -0,0 +1,5 @@ +--- +title: Ensure are cleaned by ImportExport::AttributeCleaner +merge_request: +author: +type: security diff --git a/lib/gitlab/import_export/attribute_cleaner.rb b/lib/gitlab/import_export/attribute_cleaner.rb index b2fe9592c06..50fec9f3eb9 100644 --- a/lib/gitlab/import_export/attribute_cleaner.rb +++ b/lib/gitlab/import_export/attribute_cleaner.rb @@ -4,7 +4,7 @@ module Gitlab module ImportExport class AttributeCleaner ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id] - PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_html\Z/).freeze + PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze def self.clean(*args) new(*args).clean diff --git a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb index 873728f9909..1b28e26a7e8 100644 --- a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb +++ b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb @@ -24,7 +24,10 @@ describe Gitlab::ImportExport::AttributeCleaner do '_html' => '<p>perfectly ordinary html</p>', 'cached_markdown_version' => 12345, 'group_id' => 99, - 'commit_id' => 99 + 'commit_id' => 99, + 'issue_ids' => [1, 2, 3], + 'merge_request_ids' => [1, 2, 3], + 'note_ids' => [1, 2, 3] } end |