Commit 8eee96e5 authored by GitLab Bot's avatar GitLab Bot
Browse files

Add latest changes from gitlab-org/security/gitlab@12-6-stable-ee

parent 13cad23a
......@@ -4,7 +4,6 @@ entry.
 
## 12.6.3
 
- No changes.
### Security (1 change)
 
- Upgrade json-jwt to v1.11.0. !22440
......
---
title: Fix private objects exposure when using Project Import functionality
merge_request:
author:
type: security
......@@ -3,8 +3,8 @@
module Gitlab
module ImportExport
class AttributeCleaner
ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id discussion_id]
PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze
ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id discussion_id custom_attributes]
PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/, /attributes/).freeze
 
def self.clean(*args)
new(*args).clean
......
......@@ -25,11 +25,21 @@ describe Gitlab::ImportExport::AttributeCleaner do
'legit_html' => '<p>legit html</p>',
'_html' => '<p>perfectly ordinary html</p>',
'cached_markdown_version' => 12345,
'custom_attributes' => 'whatever',
'some_attributes_metadata' => 'whatever',
'group_id' => 99,
'commit_id' => 99,
'issue_ids' => [1, 2, 3],
'merge_request_ids' => [1, 2, 3],
'note_ids' => [1, 2, 3]
'note_ids' => [1, 2, 3],
'attributes' => {
'issue_ids' => [1, 2, 3],
'merge_request_ids' => [1, 2, 3],
'note_ids' => [1, 2, 3]
},
'variables_attributes' => {
'id' => 1
}
}
end
 
......@@ -40,7 +50,8 @@ describe Gitlab::ImportExport::AttributeCleaner do
'random_id_in_the_middle' => 99,
'notid' => 99,
'group_id' => 99,
'commit_id' => 99
'commit_id' => 99,
'custom_attributes' => 'whatever'
}
end
 
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment