diff options
| -rw-r--r-- | ruby/gitlab-shell/lib/gitlab_access.rb | 12 | ||||
| -rw-r--r-- | ruby/gitlab-shell/spec/gitlab_access_spec.rb | 13 |
2 files changed, 24 insertions, 1 deletions
diff --git a/ruby/gitlab-shell/lib/gitlab_access.rb b/ruby/gitlab-shell/lib/gitlab_access.rb index caeb3fb39..83dbcd8d8 100644 --- a/ruby/gitlab-shell/lib/gitlab_access.rb +++ b/ruby/gitlab-shell/lib/gitlab_access.rb @@ -8,6 +8,8 @@ require 'json' class GitlabAccess class AccessDeniedError < StandardError; end + MAX_NUMBER_OF_REFS = 1000 + attr_reader :config, :gl_repository, :repo_path, :changes, :protocol def initialize(gl_repository, repo_path, gl_id, changes, protocol) @@ -20,6 +22,8 @@ class GitlabAccess end def exec + validate_refs_size! + status = GitlabMetrics.measure('check-access:git-receive-pack') do api.check_access('git-receive-pack', @gl_repository, @repo_path, @gl_id, @changes, @protocol, env: ObjectDirsHelper.all_attributes.to_json) end @@ -40,4 +44,12 @@ class GitlabAccess def api GitlabNet.new end + + private + + def validate_refs_size! + return if changes.size <= MAX_NUMBER_OF_REFS + + raise AccessDeniedError, 'Exceeded the max number of allowed refs to push' + end end diff --git a/ruby/gitlab-shell/spec/gitlab_access_spec.rb b/ruby/gitlab-shell/spec/gitlab_access_spec.rb index 6c1d3485e..885ef1cfd 100644 --- a/ruby/gitlab-shell/spec/gitlab_access_spec.rb +++ b/ruby/gitlab-shell/spec/gitlab_access_spec.rb @@ -5,6 +5,7 @@ describe GitlabAccess do let(:repository_path) { "/home/git/repositories" } let(:repo_name) { 'dzaporozhets/gitlab-ci' } let(:repo_path) { File.join(repository_path, repo_name) + ".git" } + let(:changes) { 'wow' } let(:api) do double(GitlabNet).tap do |api| allow(api).to receive(:check_access).and_return(GitAccessStatus.new(true, @@ -20,7 +21,7 @@ describe GitlabAccess do end end subject do - GitlabAccess.new(nil, repo_path, 'key-123', 'wow', 'ssh').tap do |access| + GitlabAccess.new(nil, repo_path, 'key-123', changes, 'ssh').tap do |access| allow(access).to receive(:exec_cmd).and_return(:exec_called) allow(access).to receive(:api).and_return(api) end @@ -43,6 +44,16 @@ describe GitlabAccess do end end + context 'number of changes is too large' do + let(:changes) { "1\n" * 1001 } + + it 'returns false' do + expect($stderr).to receive(:puts).with('GitLab: Exceeded the max number of allowed refs to push') + + expect(subject.exec).to be_falsey + end + end + context "access is denied" do before do allow(api).to receive(:check_access).and_return(GitAccessStatus.new( |