From 0531a33889145d8bfa05fd8bcdc033aaceb4987d Mon Sep 17 00:00:00 2001 From: DJ Mountney Date: Mon, 25 Nov 2019 16:35:52 -0800 Subject: [PATCH 1/2] Ensure attributes that end in `_ids` are cleaned This prevents an issue where you can steal other projects objects by asking for ids that don't belong to you in import. --- lib/gitlab/import_export/attribute_cleaner.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/gitlab/import_export/attribute_cleaner.rb b/lib/gitlab/import_export/attribute_cleaner.rb index b2fe9592c06..50fec9f3eb9 100644 --- a/lib/gitlab/import_export/attribute_cleaner.rb +++ b/lib/gitlab/import_export/attribute_cleaner.rb @@ -4,7 +4,7 @@ module Gitlab module ImportExport class AttributeCleaner ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id] - PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_html\Z/).freeze + PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze def self.clean(*args) new(*args).clean From b308c803aa50bc15be049215ab16506608046512 Mon Sep 17 00:00:00 2001 From: Imre Farkas Date: Tue, 26 Nov 2019 09:32:07 +0100 Subject: [PATCH 2/2] Spec to ensure `_ids` are cleaned by ImportExport::AttributeCleaner --- .../unreleased/security-exclude_ids_attribute_cleaning.yml | 5 +++++ spec/lib/gitlab/import_export/attribute_cleaner_spec.rb | 5 ++++- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 changelogs/unreleased/security-exclude_ids_attribute_cleaning.yml diff --git a/changelogs/unreleased/security-exclude_ids_attribute_cleaning.yml b/changelogs/unreleased/security-exclude_ids_attribute_cleaning.yml new file mode 100644 index 00000000000..08fc1393f20 --- /dev/null +++ b/changelogs/unreleased/security-exclude_ids_attribute_cleaning.yml @@ -0,0 +1,5 @@ +--- +title: Ensure are cleaned by ImportExport::AttributeCleaner +merge_request: +author: +type: security diff --git a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb index c4052415ab0..44192c4639d 100644 --- a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb +++ b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb @@ -26,7 +26,10 @@ describe Gitlab::ImportExport::AttributeCleaner do '_html' => '

perfectly ordinary html

', 'cached_markdown_version' => 12345, 'group_id' => 99, - 'commit_id' => 99 + 'commit_id' => 99, + 'issue_ids' => [1, 2, 3], + 'merge_request_ids' => [1, 2, 3], + 'note_ids' => [1, 2, 3] } end