Prevent templated services from being imported

Templated services should only be created by admins and does not apply to project import/export. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/54189
2018-11-17 21:45:05 -08:00 · 2018-11-17 21:45:05 -08:00 · 2e3674f7a8
commit 2e3674f7a8
parent b14057874e
4 changed files with 37 additions and 1 deletions
--- a/changelogs/unreleased/sh-fix-issue-54189.yml
+++ b/changelogs/unreleased/sh-fix-issue-54189.yml
@ -0,0 +1,5 @@
+---
+title: Prevent templated services from being imported
+merge_request:
+author:
+type: security
--- a/lib/gitlab/import_export/import_export.yml
+++ b/lib/gitlab/import_export/import_export.yml
@ -154,6 +154,8 @@ excluded_attributes:
    - :encrypted_token_iv
    - :encrypted_url
    - :encrypted_url_iv
+  services:
+    - :template

 methods:
  labels:
--- a/spec/lib/gitlab/import_export/project.light.json
+++ b/spec/lib/gitlab/import_export/project.light.json
@ -101,6 +101,28 @@
      ]
    }
  ],
+  "services": [
+    {
+      "id": 100,
+      "title": "JetBrains TeamCity CI",
+      "project_id": 5,
+      "created_at": "2016-06-14T15:01:51.315Z",
+      "updated_at": "2016-06-14T15:01:51.315Z",
+      "active": false,
+      "properties": {},
+      "template": true,
+      "push_events": true,
+      "issues_events": true,
+      "merge_requests_events": true,
+      "tag_push_events": true,
+      "note_events": true,
+      "job_events": true,
+      "type": "TeamcityService",
+      "category": "ci",
+      "default": false,
+      "wiki_page_events": true
+    }
+  ],
  "snippets": [],
  "hooks": []
 }
--- a/spec/lib/gitlab/import_export/project_tree_restorer_spec.rb
+++ b/spec/lib/gitlab/import_export/project_tree_restorer_spec.rb
@ -297,7 +297,8 @@ describe Gitlab::ImportExport::ProjectTreeRestorer do
                      issues: 1,
                      labels: 1,
                      milestones: 1,
-                      first_issue_labels: 1
+                      first_issue_labels: 1,
+                      services: 1

      context 'project.json file access check' do
        it 'does not read a symlink' do
@ -382,6 +383,12 @@ describe Gitlab::ImportExport::ProjectTreeRestorer do
        project_tree_restorer.instance_variable_set(:@path, "spec/lib/gitlab/import_export/project.light.json")
      end

+      it 'does not import any templated services' do
+        restored_project_json
+
+        expect(project.services.where(template: true).count).to eq(0)
+      end
+
      it 'imports labels' do
        create(:group_label, name: 'Another label', group: project.group)