Merge branch 'security-fix-lfs-import-project-ssrf-forgery-11-6' into 'security-11-6'

[11.6] LFS object forgery in project import

See merge request gitlab/gitlabhq!2818

(cherry picked from commit 6402c62822692b924ee95234cbcc2578501236f9)

bb635c64 Added validations to prevent LFS object forgery

2 files changed, 7 insertions, 5 deletions

diff --git a/lib/gitlab/github_import/importer/lfs_object_importer.rb b/lib/gitlab/github_import/importer/lfs_object_importer.rb
index a88c17aaf82..195383fd3e9 100644
--- a/lib/gitlab/github_import/importer/lfs_object_importer.rb
+++ b/lib/gitlab/github_import/importer/lfs_object_importer.rb
@@ -13,10 +13,12 @@ module Gitlab
           @project = project
         end
 
+        def lfs_download_object
+          LfsDownloadObject.new(oid: lfs_object.oid, size: lfs_object.size, link: lfs_object.link)
+        end
+
         def execute
-          Projects::LfsPointers::LfsDownloadService
-            .new(project)
-            .execute(lfs_object.oid, lfs_object.download_link)
+          Projects::LfsPointers::LfsDownloadService.new(project, lfs_download_object).execute
         end
       end
     end
diff --git a/lib/gitlab/github_import/representation/lfs_object.rb b/lib/gitlab/github_import/representation/lfs_object.rb
index debe0fa0baf..a4606173f49 100644
--- a/lib/gitlab/github_import/representation/lfs_object.rb
+++ b/lib/gitlab/github_import/representation/lfs_object.rb
@@ -9,11 +9,11 @@ module Gitlab
 
         attr_reader :attributes
 
-        expose_attribute :oid, :download_link
+        expose_attribute :oid, :link, :size
 
         # Builds a lfs_object
         def self.from_api_response(lfs_object)
-          new({ oid: lfs_object[0], download_link: lfs_object[1] })
+          new({ oid: lfs_object.oid, link: lfs_object.link, size: lfs_object.size })
         end
 
         # Builds a new lfs_object using a Hash that was built from a JSON payload.