Commit cfb511ea authored by Douwe Maan's avatar Douwe Maan Committed by Rémy Coutable

Merge branch 'fix/import-projectmember-security' into 'security'

Fix Import/Export foreign key issue to do with project members

Cleans-up any foreign keys in `ProjectMember` - same as we do with the rest of the models when importing.

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23837 and https://gitlab.com/gitlab-org/gitlab-ce/issues/23739

See merge request !2020
Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
parent c9578688
...@@ -3,10 +3,25 @@ module Gitlab ...@@ -3,10 +3,25 @@ module Gitlab
class AttributeCleaner class AttributeCleaner
ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + ['group_id'] ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + ['group_id']
def self.clean!(relation_hash:) def self.clean(*args)
relation_hash.reject! do |key, _value| new(*args).clean
key.end_with?('_id') && !ALLOWED_REFERENCES.include?(key) end
end
def initialize(relation_hash:, relation_class:)
@relation_hash = relation_hash
@relation_class = relation_class
end
def clean
@relation_hash.reject do |key, _value|
prohibited_key?(key) || !@relation_class.attribute_method?(key)
end.except('id')
end
private
def prohibited_key?(key)
key.end_with?('_id') && !ALLOWED_REFERENCES.include?(key)
end end
end end
end end
......
...@@ -55,7 +55,12 @@ module Gitlab ...@@ -55,7 +55,12 @@ module Gitlab
end end
def member_hash(member) def member_hash(member)
member.except('id').merge(source_id: @project.id, importing: true) parsed_hash(member).merge('source_id' => @project.id, 'importing' => true)
end
def parsed_hash(member)
Gitlab::ImportExport::AttributeCleaner.clean(relation_hash: member.deep_stringify_keys,
relation_class: ProjectMember)
end end
def find_project_user_query(member) def find_project_user_query(member)
......
...@@ -14,7 +14,7 @@ module Gitlab ...@@ -14,7 +14,7 @@ module Gitlab
priorities: :label_priorities, priorities: :label_priorities,
label: :project_label }.freeze label: :project_label }.freeze
USER_REFERENCES = %w[author_id assignee_id updated_by_id user_id].freeze USER_REFERENCES = %w[author_id assignee_id updated_by_id user_id created_by_id].freeze
PROJECT_REFERENCES = %w[project_id source_project_id gl_project_id target_project_id].freeze PROJECT_REFERENCES = %w[project_id source_project_id gl_project_id target_project_id].freeze
...@@ -30,7 +30,7 @@ module Gitlab ...@@ -30,7 +30,7 @@ module Gitlab
def initialize(relation_sym:, relation_hash:, members_mapper:, user:, project_id:) def initialize(relation_sym:, relation_hash:, members_mapper:, user:, project_id:)
@relation_name = OVERRIDES[relation_sym] || relation_sym @relation_name = OVERRIDES[relation_sym] || relation_sym
@relation_hash = relation_hash.except('id', 'noteable_id').merge('project_id' => project_id) @relation_hash = relation_hash.except('noteable_id').merge('project_id' => project_id)
@members_mapper = members_mapper @members_mapper = members_mapper
@user = user @user = user
@imported_object_retries = 0 @imported_object_retries = 0
...@@ -172,11 +172,8 @@ module Gitlab ...@@ -172,11 +172,8 @@ module Gitlab
end end
def parsed_relation_hash def parsed_relation_hash
@parsed_relation_hash ||= begin @parsed_relation_hash ||= Gitlab::ImportExport::AttributeCleaner.clean(relation_hash: @relation_hash,
Gitlab::ImportExport::AttributeCleaner.clean!(relation_hash: @relation_hash) relation_class: relation_class)
@relation_hash.reject { |k, _v| !relation_class.attribute_method?(k) }
end
end end
def set_st_diffs def set_st_diffs
......
require 'spec_helper' require 'spec_helper'
describe Gitlab::ImportExport::AttributeCleaner, lib: true do describe Gitlab::ImportExport::AttributeCleaner, lib: true do
let(:relation_class){ double('relation_class').as_null_object }
let(:unsafe_hash) do let(:unsafe_hash) do
{ {
'id' => 101,
'service_id' => 99, 'service_id' => 99,
'moved_to_id' => 99, 'moved_to_id' => 99,
'namespace_id' => 99, 'namespace_id' => 99,
...@@ -27,8 +29,9 @@ describe Gitlab::ImportExport::AttributeCleaner, lib: true do ...@@ -27,8 +29,9 @@ describe Gitlab::ImportExport::AttributeCleaner, lib: true do
end end
it 'removes unwanted attributes from the hash' do it 'removes unwanted attributes from the hash' do
described_class.clean!(relation_hash: unsafe_hash) # allow(relation_class).to receive(:attribute_method?).and_return(true)
parsed_hash = described_class.clean(relation_hash: unsafe_hash, relation_class: relation_class)
expect(unsafe_hash).to eq(post_safe_hash) expect(parsed_hash).to eq(post_safe_hash)
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment