diff options
author | DJ Mountney <david@twkie.net> | 2019-11-25 16:35:52 -0800 |
---|---|---|
committer | Imre Farkas <ifarkas@gitlab.com> | 2019-11-26 10:18:56 +0100 |
commit | 70f684b5841a5c0ed868658243cca351ef31a59c (patch) | |
tree | 6d0aa1d98acfbddbed81b2632b55f31face15952 /lib | |
parent | 4c442bdda212490c660a4c0acd82d03f60d72dc9 (diff) | |
download | gitlab-ce-70f684b5841a5c0ed868658243cca351ef31a59c.tar.gz |
Ensure attributes that end in `_ids` are cleaned
This prevents an issue where you can steal other projects objects by
asking for ids that don't belong to you in import.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gitlab/import_export/attribute_cleaner.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/gitlab/import_export/attribute_cleaner.rb b/lib/gitlab/import_export/attribute_cleaner.rb index b2fe9592c06..50fec9f3eb9 100644 --- a/lib/gitlab/import_export/attribute_cleaner.rb +++ b/lib/gitlab/import_export/attribute_cleaner.rb @@ -4,7 +4,7 @@ module Gitlab module ImportExport class AttributeCleaner ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id] - PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_html\Z/).freeze + PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze def self.clean(*args) new(*args).clean |