Add latest changes from gitlab-org/security/gitlab@12-8-stable-ee

00553eb3 · GitLab Bot · f39b4225 · 00553eb3 · 00553eb3 · 00553eb3
5 changed file
--- a/changelogs/unreleased/security-ssrf-attachment-url.yml
+++ b/changelogs/unreleased/security-ssrf-attachment-url.yml
+---
+title: Exclude Carrierwave remote URL methods from import
+merge_request:
+author:
+type: security
--- a/lib/gitlab/import_export/attribute_cleaner.rb
+++ b/lib/gitlab/import_export/attribute_cleaner.rb
@@ -11,7 +11,14 @@ module Gitlab
        'discussion_id',
        'custom_attributes'
      ].freeze
-      PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/, /attributes/).freeze
+      PROHIBITED_REFERENCES = Regexp.union(
+        /\Acached_markdown_version\Z/,
+        /_id\Z/,
+        /_ids\Z/,
+        /_html\Z/,
+        /attributes/,
+        /\Aremote_\w+_(url|urls|request_header)\Z/ # carrierwave automatically creates these attribute methods for uploads
+      ).freeze

      def self.clean(*args)
        new(*args).clean

--- a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb
+++ b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb
@@ -32,6 +32,9 @@ describe Gitlab::ImportExport::AttributeCleaner do
      'issue_ids' => [1, 2, 3],
      'merge_request_ids' => [1, 2, 3],
      'note_ids' => [1, 2, 3],
+      'remote_attachment_url' => 'http://something.dodgy',
+      'remote_attachment_request_header' => 'bad value',
+      'remote_attachment_urls' => %w(http://something.dodgy http://something.okay),
      'attributes' => {
        'issue_ids' => [1, 2, 3],
        'merge_request_ids' => [1, 2, 3],

--- a/vendor/gitignore/C++.gitignore
+++ b/vendor/gitignore/C++.gitignore
--- a/vendor/gitignore/Java.gitignore
+++ b/vendor/gitignore/Java.gitignore