• Douwe Maan's avatar
    Merge branch 'fix/id-claim-import-issue' into 'master' · 04def4d8
    Douwe Maan authored
    Prevent claiming associated model IDs via import
    
    On the import side, we should be careful not to use any IDs as part of the JSON file that could have been manipulated.
    
    Part of https://gitlab.com/gitlab-org/gitlab-ce/issues/20821
    
    Things we already do (__before__ this fix):
    
    1. Remove all primary keys
    1. **Always** reassign some of the foreign keys, such as ALL project IDs and user IDs (so it would be difficult to impersonate or try to gain access to another project)
    1. Ignore/reject attributes that do not exist in the model
    1. If someone reassigns a foreign key `submodel_id`, and that object has another json as the submodel, the new submodel will reassign the `submodel_id` to the newly created submodel ID.
    
    Things we should do:
    
    1. Remove/nullify any other foreign keys that we don't reassign (checked this, and there aren't many, fortunately. In fact, I don't think much harm can be done at all - at the moment).
    
    See merge request !1985
    Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
    04def4d8
relation_factory.rb 7.17 KB