Merge branch 'security-exclude_ids_attribute_cleaning-12-5-ce' into '12-5-stable'

Ensure attributes that end in `_ids` are cleaned See merge request gitlab/gitlabhq!3558

Merge branch 'security-exclude_ids_attribute_cleaning-12-5-ce' into '12-5-stable'
Ensure attributes that end in `_ids` are cleaned See merge request gitlab/gitlabhq!3558
1c029e63 · GitLab Release Tools Bot · 4c442bdd · 518835f7 · 1c029e63 · 1c029e63
Commit 1c029e63 authored Nov 26, 2019 by GitLab Release Tools Bot
3 changed files
--- a/changelogs/unreleased/security-exclude_ids_attribute_cleaning.yml
+++ b/changelogs/unreleased/security-exclude_ids_attribute_cleaning.yml
+---
+title: Ensure are cleaned by ImportExport::AttributeCleaner
+merge_request:
+author:
+type: security
--- a/lib/gitlab/import_export/attribute_cleaner.rb
+++ b/lib/gitlab/import_export/attribute_cleaner.rb
@@ -4,7 +4,7 @@ module Gitlab
  module ImportExport
    class AttributeCleaner
      ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id]
-      PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_html\Z/).freeze
+      PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze
      def self.clean(*args)
        new(*args).clean

--- a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb
+++ b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb
@@ -24,7 +24,10 @@ describe Gitlab::ImportExport::AttributeCleaner do
      '_html' => '<p>perfectly ordinary html</p>',
      'cached_markdown_version' => 12345,
      'group_id' => 99,
-      'commit_id' => 99
+      'commit_id' => 99,
+      'issue_ids' => [1, 2, 3],
+      'merge_request_ids' => [1, 2, 3],
+      'note_ids' => [1, 2, 3]
    }
  end