Merge branch 'security-exclude_ids_attribute_cleaning-ce' into 'master'

Ensure attributes that end in `_ids` are cleaned

See merge request gitlab/gitlabhq!3561

changelogs/unreleased/security-exclude_ids_attribute_cleaning.yml

@@ -0,0 +1,5 @@
+---
+title: Ensure are cleaned by ImportExport::AttributeCleaner
+merge_request:
+author:
+type: security

lib/gitlab/import_export/attribute_cleaner.rb

@@ -4,7 +4,7 @@ module Gitlab
   module ImportExport
     class AttributeCleaner
       ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id]
-      PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_html\Z/).freeze
+      PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze
 
       def self.clean(*args)
         new(*args).clean

spec/lib/gitlab/import_export/attribute_cleaner_spec.rb

@@ -26,7 +26,10 @@ describe Gitlab::ImportExport::AttributeCleaner do
       '_html' => '<p>perfectly ordinary html</p>',
       'cached_markdown_version' => 12345,
       'group_id' => 99,
-      'commit_id' => 99
+      'commit_id' => 99,
+      'issue_ids' => [1, 2, 3],
+      'merge_request_ids' => [1, 2, 3],
+      'note_ids' => [1, 2, 3]
     }
   end