diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-01-10 14:37:19 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-01-10 14:37:19 +0000 |
| commit | 8eee96e58215f88b165183c501f0e97b90a2007c (patch) | |
| tree | 3dfa7e5170b04c47c5c2728f9d00c037f253be24 | |
| parent | 13cad23a0e426acf2bbecc498ac4ede2ccac94a5 (diff) | |
| download | gitlab-ce-8eee96e58215f88b165183c501f0e97b90a2007c.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@12-6-stable-ee
| -rw-r--r-- | CHANGELOG.md | 1 | ||||
| -rw-r--r-- | VERSION | 2 | ||||
| -rw-r--r-- | changelogs/unreleased/security-project-import-vn-master.yml | 5 | ||||
| -rw-r--r-- | lib/gitlab/import_export/attribute_cleaner.rb | 4 | ||||
| -rw-r--r-- | spec/lib/gitlab/import_export/attribute_cleaner_spec.rb | 15 |
5 files changed, 21 insertions, 6 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index ff7faa4ef2a..8b02034466d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,6 @@ entry. ## 12.6.3 -- No changes. ### Security (1 change) - Upgrade json-jwt to v1.11.0. !22440 @@ -1 +1 @@ -12.6.3 +12.6.3-ee diff --git a/changelogs/unreleased/security-project-import-vn-master.yml b/changelogs/unreleased/security-project-import-vn-master.yml new file mode 100644 index 00000000000..930358626fd --- /dev/null +++ b/changelogs/unreleased/security-project-import-vn-master.yml @@ -0,0 +1,5 @@ +--- +title: Fix private objects exposure when using Project Import functionality +merge_request: +author: +type: security diff --git a/lib/gitlab/import_export/attribute_cleaner.rb b/lib/gitlab/import_export/attribute_cleaner.rb index c8dbec7bcba..00c4c41e6be 100644 --- a/lib/gitlab/import_export/attribute_cleaner.rb +++ b/lib/gitlab/import_export/attribute_cleaner.rb @@ -3,8 +3,8 @@ module Gitlab module ImportExport class AttributeCleaner - ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id discussion_id] - PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze + ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id discussion_id custom_attributes] + PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/, /attributes/).freeze def self.clean(*args) new(*args).clean diff --git a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb index 44192c4639d..12857f97f7c 100644 --- a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb +++ b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb @@ -25,11 +25,21 @@ describe Gitlab::ImportExport::AttributeCleaner do 'legit_html' => '<p>legit html</p>', '_html' => '<p>perfectly ordinary html</p>', 'cached_markdown_version' => 12345, + 'custom_attributes' => 'whatever', + 'some_attributes_metadata' => 'whatever', 'group_id' => 99, 'commit_id' => 99, 'issue_ids' => [1, 2, 3], 'merge_request_ids' => [1, 2, 3], - 'note_ids' => [1, 2, 3] + 'note_ids' => [1, 2, 3], + 'attributes' => { + 'issue_ids' => [1, 2, 3], + 'merge_request_ids' => [1, 2, 3], + 'note_ids' => [1, 2, 3] + }, + 'variables_attributes' => { + 'id' => 1 + } } end @@ -40,7 +50,8 @@ describe Gitlab::ImportExport::AttributeCleaner do 'random_id_in_the_middle' => 99, 'notid' => 99, 'group_id' => 99, - 'commit_id' => 99 + 'commit_id' => 99, + 'custom_attributes' => 'whatever' } end |