diff options
| author | Douwe Maan <douwe@gitlab.com> | 2016-09-30 07:31:02 +0000 |
|---|---|---|
| committer | Douwe Maan <douwe@gitlab.com> | 2016-09-30 07:31:02 +0000 |
| commit | 8a866bfce3f3234554b593e4cbd9013d58a42d1e (patch) | |
| tree | c3ff9ffc4d170d833d287535437363ddad047497 /config.ru | |
| parent | 923a1f7ace53f4913284c384ae2a20a39a999f99 (diff) | |
| parent | 9e0b7c630f2fc64805062d0c7e02fd6092631071 (diff) | |
| download | gitlab-ce-8a866bfce3f3234554b593e4cbd9013d58a42d1e.tar.gz | |
Merge branch 'fix/id-claim-import-issue' into 'master'
Prevent claiming associated model IDs via import
On the import side, we should be careful not to use any IDs as part of the JSON file that could have been manipulated.
Part of https://gitlab.com/gitlab-org/gitlab-ce/issues/20821
Things we already do (__before__ this fix):
1. Remove all primary keys
1. **Always** reassign some of the foreign keys, such as ALL project IDs and user IDs (so it would be difficult to impersonate or try to gain access to another project)
1. Ignore/reject attributes that do not exist in the model
1. If someone reassigns a foreign key `submodel_id`, and that object has another json as the submodel, the new submodel will reassign the `submodel_id` to the newly created submodel ID.
Things we should do:
1. Remove/nullify any other foreign keys that we don't reassign (checked this, and there aren't many, fortunately. In fact, I don't think much harm can be done at all - at the moment).
See merge request !1985
Diffstat (limited to 'config.ru')
0 files changed, 0 insertions, 0 deletions