......@@ -2,6 +2,13 @@
documentation](doc/development/changelog.md) for instructions on adding your own
entry.
 
## 12.5.7
### Security (1 change)
- Fix private objects exposure when using Project Import functionality.
## 12.5.6
 
### Security (5 changes)
......
......
12.5.6-ee
12.5.7
......@@ -3,8 +3,8 @@
module Gitlab
module ImportExport
class AttributeCleaner
ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id]
PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze
ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id discussion_id custom_attributes]
PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/, /attributes/).freeze
def self.clean(*args)
new(*args).clean
......
......
......@@ -23,11 +23,21 @@ describe Gitlab::ImportExport::AttributeCleaner do
'legit_html' => '<p>legit html</p>',
'_html' => '<p>perfectly ordinary html</p>',
'cached_markdown_version' => 12345,
'custom_attributes' => 'whatever',
'some_attributes_metadata' => 'whatever',
'group_id' => 99,
'commit_id' => 99,
'issue_ids' => [1, 2, 3],
'merge_request_ids' => [1, 2, 3],
'note_ids' => [1, 2, 3],
'attributes' => {
'issue_ids' => [1, 2, 3],
'merge_request_ids' => [1, 2, 3],
'note_ids' => [1, 2, 3]
},
'variables_attributes' => {
'id' => 1
}
}
end
......@@ -38,7 +48,8 @@ describe Gitlab::ImportExport::AttributeCleaner do
'random_id_in_the_middle' => 99,
'notid' => 99,
'group_id' => 99,
'commit_id' => 99
'commit_id' => 99,
'custom_attributes' => 'whatever'
}
end
......
......
File mode changed from 100755 to 100644
File mode changed from 100755 to 100644