Ensure attributes that end in `_ids` are cleaned

This prevents an issue where you can steal other projects objects by asking for ids that don't belong to you in import.

Ensure attributes that end in `_ids` are cleaned
This prevents an issue where you can steal other projects objects by asking for ids that don't belong to you in import.
0531a338 · DJ Mountney · Imre Farkas · 23d23711 · 0531a338
Commit 0531a338 authored Nov 25, 2019 by DJ Mountney Committed by Imre Farkas Nov 26, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

lib/gitlab/import_export/attribute_cleaner.rb lib/gitlab/import_export/attribute_cleaner.rb +1 -1

No files found.
--- a/lib/gitlab/import_export/attribute_cleaner.rb
+++ b/lib/gitlab/import_export/attribute_cleaner.rb
@@ -4,7 +4,7 @@ module Gitlab
  module ImportExport
    class AttributeCleaner
      ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id]
-      PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_html\Z/).freeze
+      PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze

      def self.clean(*args)
        new(*args).clean