diff options
author | DJ Mountney <david@twkie.net> | 2019-11-25 16:35:52 -0800 |
---|---|---|
committer | Imre Farkas <ifarkas@gitlab.com> | 2019-11-26 12:13:00 +0100 |
commit | 483d36b2edc08062882eb111e697216c0cb234b5 (patch) | |
tree | ecdc65d14aed76403169c4f04c47be207fce1b35 | |
parent | 3d7b56c54620b0ff31a3a455144bf4fef2377c17 (diff) | |
download | gitlab-ce-483d36b2edc08062882eb111e697216c0cb234b5.tar.gz |
Ensure attributes that end in `_ids` are cleaned
This prevents an issue where you can steal other projects objects by
asking for ids that don't belong to you in import.
-rw-r--r-- | lib/gitlab/import_export/attribute_cleaner.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/gitlab/import_export/attribute_cleaner.rb b/lib/gitlab/import_export/attribute_cleaner.rb index b2fe9592c06..50fec9f3eb9 100644 --- a/lib/gitlab/import_export/attribute_cleaner.rb +++ b/lib/gitlab/import_export/attribute_cleaner.rb @@ -4,7 +4,7 @@ module Gitlab module ImportExport class AttributeCleaner ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id] - PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_html\Z/).freeze + PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze def self.clean(*args) new(*args).clean |