Merge branch 'master' of gitlab.com:gitlab-org/security/gitlab

changelogs/unreleased/security-project-import-vn-master.yml

+---
+title: Fix private objects exposure when using Project Import functionality
+merge_request:
+author:
+type: security

lib/gitlab/import_export/attribute_cleaner.rb

@@ -3,8 +3,8 @@
 module Gitlab
   module ImportExport
     class AttributeCleaner
-      ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id discussion_id]
-      PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze
+      ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id discussion_id custom_attributes]
+      PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/, /attributes/).freeze
 
       def self.clean(*args)
         new(*args).clean

spec/lib/gitlab/import_export/attribute_cleaner_spec.rb

@@ -25,11 +25,21 @@ describe Gitlab::ImportExport::AttributeCleaner do
       'legit_html' => '<p>legit html</p>',
       '_html' => '<p>perfectly ordinary html</p>',
       'cached_markdown_version' => 12345,
+      'custom_attributes' => 'whatever',
+      'some_attributes_metadata' => 'whatever',
       'group_id' => 99,
       'commit_id' => 99,
       'issue_ids' => [1, 2, 3],
       'merge_request_ids' => [1, 2, 3],
-      'note_ids' => [1, 2, 3]
+      'note_ids' => [1, 2, 3],
+      'attributes' => {
+        'issue_ids' => [1, 2, 3],
+        'merge_request_ids' => [1, 2, 3],
+        'note_ids' => [1, 2, 3]
+      },
+      'variables_attributes' => {
+        'id' => 1
+      }
     }
   end
 
@@ -40,7 +50,8 @@ describe Gitlab::ImportExport::AttributeCleaner do
       'random_id_in_the_middle' => 99,
       'notid' => 99,
       'group_id' => 99,
-      'commit_id' => 99
+      'commit_id' => 99,
+      'custom_attributes' => 'whatever'
     }
   end