diff options
| author | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-01-13 16:33:46 +0000 |
|---|---|---|
| committer | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-01-13 16:33:46 +0000 |
| commit | 410373087baa33a2a1eac0c318ef436bc069a40a (patch) | |
| tree | 87459b4258c29fe750f4719abf2d33cce86daa1b | |
| parent | 13cad23a0e426acf2bbecc498ac4ede2ccac94a5 (diff) | |
| parent | 70900054dfe381ccca7d570d431d96705e6b6473 (diff) | |
| download | gitlab-ce-410373087baa33a2a1eac0c318ef436bc069a40a.tar.gz | |
Merge remote-tracking branch 'dev/12-6-stable' into 12-6-stable
| -rw-r--r-- | CHANGELOG.md | 8 | ||||
| -rw-r--r-- | VERSION | 2 | ||||
| -rw-r--r-- | lib/gitlab/import_export/attribute_cleaner.rb | 4 | ||||
| -rw-r--r-- | spec/lib/gitlab/import_export/attribute_cleaner_spec.rb | 15 |
4 files changed, 23 insertions, 6 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index ff7faa4ef2a..00d04b61690 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,9 +2,15 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 12.6.4 + +### Security (1 change) + +- Fix private objects exposure when using Project Import functionality. + + ## 12.6.3 -- No changes. ### Security (1 change) - Upgrade json-jwt to v1.11.0. !22440 @@ -1 +1 @@ -12.6.3 +12.6.4 diff --git a/lib/gitlab/import_export/attribute_cleaner.rb b/lib/gitlab/import_export/attribute_cleaner.rb index c8dbec7bcba..00c4c41e6be 100644 --- a/lib/gitlab/import_export/attribute_cleaner.rb +++ b/lib/gitlab/import_export/attribute_cleaner.rb @@ -3,8 +3,8 @@ module Gitlab module ImportExport class AttributeCleaner - ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id discussion_id] - PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze + ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id discussion_id custom_attributes] + PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/, /attributes/).freeze def self.clean(*args) new(*args).clean diff --git a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb index 44192c4639d..12857f97f7c 100644 --- a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb +++ b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb @@ -25,11 +25,21 @@ describe Gitlab::ImportExport::AttributeCleaner do 'legit_html' => '<p>legit html</p>', '_html' => '<p>perfectly ordinary html</p>', 'cached_markdown_version' => 12345, + 'custom_attributes' => 'whatever', + 'some_attributes_metadata' => 'whatever', 'group_id' => 99, 'commit_id' => 99, 'issue_ids' => [1, 2, 3], 'merge_request_ids' => [1, 2, 3], - 'note_ids' => [1, 2, 3] + 'note_ids' => [1, 2, 3], + 'attributes' => { + 'issue_ids' => [1, 2, 3], + 'merge_request_ids' => [1, 2, 3], + 'note_ids' => [1, 2, 3] + }, + 'variables_attributes' => { + 'id' => 1 + } } end @@ -40,7 +50,8 @@ describe Gitlab::ImportExport::AttributeCleaner do 'random_id_in_the_middle' => 99, 'notid' => 99, 'group_id' => 99, - 'commit_id' => 99 + 'commit_id' => 99, + 'custom_attributes' => 'whatever' } end |