Use allowlist for importing project attributes

This change updates project attribute import by switching from an exclude list to an allowlist behavior. Changelog: changed

Use allowlist for importing project attributes
This change updates project attribute import by switching from an exclude list to an allowlist behavior. Changelog: changed
c8c6f468 · Igor Frenkel · e4d7915e · c8c6f468 · c8c6f468 · c8c6f468
Commit c8c6f468 authored Oct 14, 2021 by Igor Frenkel
3 changed files
--- a/lib/gitlab/import_export/group/relation_tree_restorer.rb
+++ b/lib/gitlab/import_export/group/relation_tree_restorer.rb
@@ -106,12 +106,7 @@ module Gitlab
        def update_params!
          params = @importable_attributes.except(*relations.keys.map(&:to_s))
          params = params.merge(present_override_params)
+          params = filter_attributes(params)
-          # Cleaning all imported and overridden params
-          params = Gitlab::ImportExport::AttributeCleaner.clean(
-            relation_hash: params,
-            relation_class: importable_class,
-            excluded_keys: excluded_keys_for_relation(importable_class_sym))
          @importable.assign_attributes(params)
@@ -122,6 +117,25 @@ module Gitlab
          end
        end
+        def filter_attributes(params)
+          if use_attributes_permitter? && attributes_permitter.permitted_attributes_defined?(importable_class_sym)
+            attributes_permitter.permit(importable_class_sym, params)
+          else
+            Gitlab::ImportExport::AttributeCleaner.clean(
+              relation_hash:  params,
+              relation_class: importable_class,
+              excluded_keys:  excluded_keys_for_relation(importable_class_sym))
+          end
+        end
+        def attributes_permitter
+          @attributes_permitter ||= Gitlab::ImportExport::AttributesPermitter.new
+        end
+        def use_attributes_permitter?
+          Feature.enabled?(:permitted_attributes_for_import_export, default_enabled: :yaml)
+        end
        def present_override_params
          # we filter out the empty strings from the overrides
          # keeping the default values configured

--- a/lib/gitlab/import_export/project/import_export.yml
+++ b/lib/gitlab/import_export/project/import_export.yml
@@ -490,6 +490,59 @@ included_attributes:
    - :created_at
    - :updated_at
    - :summary
+  project:
+    - :approvals_before_merge
+    - :archived
+    - :auto_cancel_pending_pipelines
+    - :autoclose_referenced_issues
+    - :build_allow_git_fetch
+    - :build_coverage_regex
+    - :build_timeout
+    - :ci_config_path
+    - :delete_error
+    - :description
+    - :disable_overriding_approvers_per_merge_request
+    - :external_authorization_classification_label
+    - :external_webhook_token
+    - :has_external_issue_tracker
+    - :has_external_wiki
+    - :issues_template
+    - :jobs_cache_index
+    - :last_repository_check_failed
+    - :merge_requests_author_approval
+    - :merge_requests_disable_committers_approval
+    - :merge_requests_ff_only_enabled
+    - :merge_requests_rebase_enabled
+    - :merge_requests_template
+    - :only_allow_merge_if_all_discussions_are_resolved
+    - :only_allow_merge_if_pipeline_succeeds
+    - :pages_https_only
+    - :pending_delete
+    - :printing_merge_request_link_enabled
+    - :public_builds
+    - :remove_source_branch_after_merge
+    - :request_access_enabled
+    - :require_password_to_approve
+    - :reset_approvals_on_push
+    - :resolve_outdated_diff_discussions
+    - :service_desk_enabled
+    - :shared_runners_enabled
+    - :suggestion_commit_message
+    - :visibility_level
+    - :hooks
+    - :issues_access_level
+    - :forking_access_level
+    - :merge_requests_access_level
+    - :wiki_access_level
+    - :snippets_access_level
+    - :builds_access_level
+    - :repository_access_level
+    - :pages_access_level
+    - :metrics_dashboard_access_level
+    - :analytics_access_level
+    - :operations_access_level
+    - :security_and_compliance_access_level
+    - :container_registry_access_level
 # Do not include the following attributes for the models specified.
 excluded_attributes:
@@ -879,3 +932,5 @@ ee:
      - :auto_fix_dast
      - :auto_fix_dependency_scanning
      - :auto_fix_sast
+    project:
+      - :requirements_access_level
--- a/spec/lib/gitlab/import_export/attributes_permitter_spec.rb
+++ b/spec/lib/gitlab/import_export/attributes_permitter_spec.rb
@@ -126,6 +126,7 @@ RSpec.describe Gitlab::ImportExport::AttributesPermitter do
      :project_feature             | true
      :prometheus_metrics          | true
      :service_desk_setting        | true
+      :project                     | true
    end
    with_them do