Commit 5a411b6e authored by Mayra Cabrera's avatar Mayra Cabrera

Merge branch 'master' of gitlab.com:gitlab-org/security/gitlab

parents 493c7ac8 74dcf9b4
---
title: Fix private objects exposure when using Project Import functionality
merge_request:
author:
type: security
......@@ -3,8 +3,8 @@
module Gitlab
module ImportExport
class AttributeCleaner
ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id discussion_id]
PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze
ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id discussion_id custom_attributes]
PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/, /attributes/).freeze
def self.clean(*args)
new(*args).clean
......
......@@ -25,11 +25,21 @@ describe Gitlab::ImportExport::AttributeCleaner do
'legit_html' => '<p>legit html</p>',
'_html' => '<p>perfectly ordinary html</p>',
'cached_markdown_version' => 12345,
'custom_attributes' => 'whatever',
'some_attributes_metadata' => 'whatever',
'group_id' => 99,
'commit_id' => 99,
'issue_ids' => [1, 2, 3],
'merge_request_ids' => [1, 2, 3],
'note_ids' => [1, 2, 3]
'note_ids' => [1, 2, 3],
'attributes' => {
'issue_ids' => [1, 2, 3],
'merge_request_ids' => [1, 2, 3],
'note_ids' => [1, 2, 3]
},
'variables_attributes' => {
'id' => 1
}
}
end
......@@ -40,7 +50,8 @@ describe Gitlab::ImportExport::AttributeCleaner do
'random_id_in_the_middle' => 99,
'notid' => 99,
'group_id' => 99,
'commit_id' => 99
'commit_id' => 99,
'custom_attributes' => 'whatever'
}
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment