New upstream version 12.6.4

2020-01-14 00:54:23 +05:30 · 2020-01-14 00:54:23 +05:30 · 54d8419492
parent b4802bbd4a
commit 54d8419492
4 changed files with 23 additions and 6 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,9 +2,15 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.

+## 12.6.4
+
+### Security (1 change)
+
+- Fix private objects exposure when using Project Import functionality.
+
+
 ## 12.6.3

- No changes.
 ### Security (1 change)

 - Upgrade json-jwt to v1.11.0. !22440
--- a/2
+++ b/2
@ -1 +1 @@
-12.6.3
+12.6.4
--- a/lib/gitlab/import_export/attribute_cleaner.rb
+++ b/lib/gitlab/import_export/attribute_cleaner.rb
@ -3,8 +3,8 @@
 module Gitlab
  module ImportExport
    class AttributeCleaner
-      ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id discussion_id]
-      PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze
+      ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id discussion_id custom_attributes]
+      PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/, /attributes/).freeze

      def self.clean(*args)
        new(*args).clean
--- a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb
+++ b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb
@ -25,11 +25,21 @@ describe Gitlab::ImportExport::AttributeCleaner do
      'legit_html' => '<p>legit html</p>',
      '_html' => '<p>perfectly ordinary html</p>',
      'cached_markdown_version' => 12345,
+      'custom_attributes' => 'whatever',
+      'some_attributes_metadata' => 'whatever',
      'group_id' => 99,
      'commit_id' => 99,
      'issue_ids' => [1, 2, 3],
      'merge_request_ids' => [1, 2, 3],
-      'note_ids' => [1, 2, 3]
+      'note_ids' => [1, 2, 3],
+      'attributes' => {
+        'issue_ids' => [1, 2, 3],
+        'merge_request_ids' => [1, 2, 3],
+        'note_ids' => [1, 2, 3]
+      },
+      'variables_attributes' => {
+        'id' => 1
+      }
    }
  end

@ -40,7 +50,8 @@ describe Gitlab::ImportExport::AttributeCleaner do
      'random_id_in_the_middle' => 99,
      'notid' => 99,
      'group_id' => 99,
-      'commit_id' => 99
+      'commit_id' => 99,
+      'custom_attributes' => 'whatever'
    }
  end
 @ -1 +1 @@
 .6.3
 .6.4