Merge branch 'fix-github-import-MR-wrong-project' into 'security'

Fix labels being applied to wrong merge requests on GitHub import

See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2064

2 files changed, 11 insertions, 3 deletions

diff --git a/changelogs/unreleased/labels-assigned-to-wrong-project.yml b/changelogs/unreleased/labels-assigned-to-wrong-project.yml
new file mode 100644
index 00000000000..0f4a88075a4
--- /dev/null
+++ b/changelogs/unreleased/labels-assigned-to-wrong-project.yml
@@ -0,0 +1,4 @@
+---
+title: Prevent the GitHub importer from assigning labels and comments to merge requests or issues belonging to other projects.
+merge_request:
+author:
diff --git a/lib/gitlab/github_import/importer.rb b/lib/gitlab/github_import/importer.rb
index ec1318ab33c..9a4ffd28438 100644
--- a/lib/gitlab/github_import/importer.rb
+++ b/lib/gitlab/github_import/importer.rb
@@ -115,7 +115,7 @@ module Gitlab
             begin
               issuable =
                 if gh_issue.pull_request?
-                  MergeRequest.find_by_iid(gh_issue.number)
+                  MergeRequest.find_by(target_project_id: project.id, iid: gh_issue.number)
                 else
                   gh_issue.create!
                 end
@@ -212,8 +212,12 @@ module Gitlab
               comment         = CommentFormatter.new(project, raw)
               # GH does not return info about comment's parent, so we guess it by checking its URL!
               *_, parent, iid = URI(raw.html_url).path.split('/')
-              issuable_class = parent == 'issues' ? Issue : MergeRequest
-              issuable       = issuable_class.find_by_iid(iid)
+              if parent == 'issues'
+                issuable = Issue.find_by(project_id: project.id, iid: iid)
+              else
+                issuable = MergeRequest.find_by(target_project_id: project.id, iid: iid)
+              end
+
               next unless issuable
 
               issuable.notes.create!(comment.attributes)