diff options
| author | DJ Mountney <david@twkie.net> | 2019-11-25 16:35:52 -0800 |
|---|---|---|
| committer | Imre Farkas <ifarkas@gitlab.com> | 2019-11-26 10:26:25 +0100 |
| commit | 0531a33889145d8bfa05fd8bcdc033aaceb4987d (patch) | |
| tree | b4955163e90dd309414c80bdc91094b08ba8b21a | |
| parent | 23d237110e6a646dec08e1f5b4696d2d9c51cfef (diff) | |
| download | gitlab-ce-0531a33889145d8bfa05fd8bcdc033aaceb4987d.tar.gz | |
Ensure attributes that end in `_ids` are cleaned
This prevents an issue where you can steal other projects objects by
asking for ids that don't belong to you in import.
| -rw-r--r-- | lib/gitlab/import_export/attribute_cleaner.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/gitlab/import_export/attribute_cleaner.rb b/lib/gitlab/import_export/attribute_cleaner.rb index b2fe9592c06..50fec9f3eb9 100644 --- a/lib/gitlab/import_export/attribute_cleaner.rb +++ b/lib/gitlab/import_export/attribute_cleaner.rb @@ -4,7 +4,7 @@ module Gitlab module ImportExport class AttributeCleaner ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id] - PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_html\Z/).freeze + PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze def self.clean(*args) new(*args).clean |