Commit 088c3f9a authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-exclude_ids_attribute_cleaning-ce' into 'master'

Ensure attributes that end in `_ids` are cleaned

See merge request gitlab/gitlabhq!3561
parents 3169ba6b b308c803
---
title: Ensure are cleaned by ImportExport::AttributeCleaner
merge_request:
author:
type: security
......@@ -4,7 +4,7 @@ module Gitlab
module ImportExport
class AttributeCleaner
ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id]
PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_html\Z/).freeze
PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze
def self.clean(*args)
new(*args).clean
......
......@@ -26,7 +26,10 @@ describe Gitlab::ImportExport::AttributeCleaner do
'_html' => '<p>perfectly ordinary html</p>',
'cached_markdown_version' => 12345,
'group_id' => 99,
'commit_id' => 99
'commit_id' => 99,
'issue_ids' => [1, 2, 3],
'merge_request_ids' => [1, 2, 3],
'note_ids' => [1, 2, 3]
}
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment