diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 12:01:52 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 12:01:52 +0000 |
commit | 1c029e63564daacfc77488968b5f8b9e3ef5470a (patch) | |
tree | 2fbea12cb0f6770e7b58d6b732208c1049aef8c2 | |
parent | 4c442bdda212490c660a4c0acd82d03f60d72dc9 (diff) | |
parent | 518835f78247bee12e5ce75b4efe03bdb79b5004 (diff) | |
download | gitlab-ce-1c029e63564daacfc77488968b5f8b9e3ef5470a.tar.gz |
Merge branch 'security-exclude_ids_attribute_cleaning-12-5-ce' into '12-5-stable'
Ensure attributes that end in `_ids` are cleaned
See merge request gitlab/gitlabhq!3558
3 files changed, 10 insertions, 2 deletions
diff --git a/changelogs/unreleased/security-exclude_ids_attribute_cleaning.yml b/changelogs/unreleased/security-exclude_ids_attribute_cleaning.yml new file mode 100644 index 00000000000..08fc1393f20 --- /dev/null +++ b/changelogs/unreleased/security-exclude_ids_attribute_cleaning.yml @@ -0,0 +1,5 @@ +--- +title: Ensure are cleaned by ImportExport::AttributeCleaner +merge_request: +author: +type: security diff --git a/lib/gitlab/import_export/attribute_cleaner.rb b/lib/gitlab/import_export/attribute_cleaner.rb index b2fe9592c06..50fec9f3eb9 100644 --- a/lib/gitlab/import_export/attribute_cleaner.rb +++ b/lib/gitlab/import_export/attribute_cleaner.rb @@ -4,7 +4,7 @@ module Gitlab module ImportExport class AttributeCleaner ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id] - PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_html\Z/).freeze + PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze def self.clean(*args) new(*args).clean diff --git a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb index 873728f9909..1b28e26a7e8 100644 --- a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb +++ b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb @@ -24,7 +24,10 @@ describe Gitlab::ImportExport::AttributeCleaner do '_html' => '<p>perfectly ordinary html</p>', 'cached_markdown_version' => 12345, 'group_id' => 99, - 'commit_id' => 99 + 'commit_id' => 99, + 'issue_ids' => [1, 2, 3], + 'merge_request_ids' => [1, 2, 3], + 'note_ids' => [1, 2, 3] } end |