Add new spec to validate import export

spec/lib/gitlab/import_export/references_configuration_spec.rb

+require 'spec_helper'
+
+# Part of the test security suite for the Import/Export feature
+# Checks whether there are new reference attributes ending with _id in models that are currently being exported as part of the
+# project Import/Export feature.
+# If there are new references (foreign keys), these will have to either be replaced with actual relation
+# or to be blacklisted by using the import_export.yml configuration file.
+# Likewise, new models added to import_export.yml, will need to be added with their correspondent relations
+# to this spec.
+describe 'Import/Export references configuration' do
+  include ConfigurationHelper
+
+  it 'has no prohibited keys' do
+    relation_names.each do |relation_name|
+      relation_class = relation_class_for_name(relation_name)
+      relation_attributes = relation_class.new.attributes.keys - relation_class.encrypted_attributes.keys.map(&:to_s)
+      current_attributes = parsed_attributes(relation_name, relation_attributes)
+
+      prohibited_keys = current_attributes.select do |attribute|
+        prohibited_key?(attribute) || !relation_class.attribute_method?(attribute)
+      end
+
+      expect(prohibited_keys).to be_empty, failure_message(relation_class.to_s, prohibited_keys)
+    end
+  end
+
+  def failure_message(relation_class, prohibited_keys)
+    <<-MSG
+      It looks like #{relation_class}, which is exported using the project Import/Export, has references: #{prohibited_keys.join(',')}
+
+      Please replace it with actual relation in IMPORT_EXPORT_CONFIG if you consider this can be exported.
+      Please blacklist the attribute(s) in IMPORT_EXPORT_CONFIG by adding it to its correspondent
+      model in the +excluded_attributes+ section.
+
+      IMPORT_EXPORT_CONFIG: #{Gitlab::ImportExport.config_file}
+    MSG
+  end
+end

spec/support/import_export/configuration_helper.rb

 # frozen_string_literal: true
 
 module ConfigurationHelper
+  ALLOWED_REFERENCES = Gitlab::ImportExport::RelationFactory::PROJECT_REFERENCES + Gitlab::ImportExport::RelationFactory::USER_REFERENCES + %w[group_id commit_id]
+  PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_html\Z/).freeze
+
   # Returns a list of models from hashes/arrays contained in +project_tree+
   def names_from_tree(project_tree)
     project_tree.map do |branch_or_model|
@@ -10,6 +13,19 @@ module ConfigurationHelper
     end
   end
 
+  def config_hash
+    Gitlab::ImportExport::Config.new.to_h.deep_stringify_keys
+  end
+
+  def relation_names
+    names = names_from_tree(config_hash.dig('tree', 'project'))
+    # Remove duplicated or add missing models
+    # - project is not part of the tree, so it has to be added manually.
+    # - milestone, labels, merge_request have both singular and plural versions in the tree, so remove the duplicates.
+    # - User, Author... Models we do not care about for checking models
+    names.flatten.uniq - %w(milestones labels user author merge_request) + ['project']
+  end
+
   def relation_class_for_name(relation_name)
     relation_name = Gitlab::ImportExport::RelationFactory.overrides[relation_name.to_sym] || relation_name
     Gitlab::ImportExport::RelationFactory.relation_class(relation_name)
@@ -18,13 +34,19 @@ module ConfigurationHelper
   def parsed_attributes(relation_name, attributes)
     excluded_attributes = config_hash['excluded_attributes'][relation_name]
     included_attributes = config_hash['included_attributes'][relation_name]
-
     attributes = attributes - JSON[excluded_attributes.to_json] if excluded_attributes
     attributes = attributes & JSON[included_attributes.to_json] if included_attributes
-
     attributes
   end
 
+  def prohibited_key?(key)
+    key =~ PROHIBITED_REFERENCES && !permitted_key?(key)
+  end
+
+  def permitted_key?(key)
+    ALLOWED_REFERENCES.include?(key)
+  end
+
   def associations_for(safe_model)
     safe_model.reflect_on_all_associations.map { |assoc| assoc.name.to_s }
   end