Ensure attributes that end in `_ids` are cleaned

This prevents an issue where you can steal other projects objects by asking for ids that don't belong to you in import.

Ensure attributes that end in `_ids` are cleaned
40519cc1 · DJ Mountney · Imre (Admin) · 9220fd9d · 40519cc1
Commit 40519cc1 authored 5 years ago by DJ Mountney Committed by Imre (Admin) 5 years ago
--- a/lib/gitlab/import_export/attribute_cleaner.rb
+++ b/lib/gitlab/import_export/attribute_cleaner.rb
@@ -4,7 +4,7 @@ module Gitlab
  module ImportExport
    class AttributeCleaner
      ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id]
-      PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_html\Z/).freeze
+      PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze
  
      def self.clean(*args)
        new(*args).clean