Add latest changes from gitlab-org/gitlab@16-5-stable-eev16.5.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-10-19 15:57:54 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-10-19 15:57:54 +0300
commit: 419c53ec62de6e97a517abd5fdd4cbde3a942a34 (patch)
tree: 1f43a548b46bca8a5fb8fe0c31cef1883d49c5b6 /lib/gitlab/checks
parent: 1da20d9135b3ad9e75e65b028bffc921aaf8deb7 (diff)
4 files changed, 50 insertions, 7 deletions
diff --git a/lib/gitlab/checks/global_file_size_check.rb b/lib/gitlab/checks/global_file_size_check.rb
index 62facf52239..ff24467e9cc 100644
--- a/lib/gitlab/checks/global_file_size_check.rb
+++ b/lib/gitlab/checks/global_file_size_check.rb
@@ -17,16 +17,34 @@ module Gitlab
           ).find
 
           if oversized_blobs.present?
+
+            blob_details = {}
+            blob_id_size_msg = ""
+            oversized_blobs.each do |blob|
+              blob_details[blob.id] = { "size" => blob.size }
+
+              # blob size is in byte, divide it by "/ 1024.0 / 1024.0" to get MiB
+              blob_id_size_msg += "- #{blob.id} (#{(blob.size / 1024.0 / 1024.0).round(2)} MiB) \n"
+            end
+
+            oversize_err_msg = <<~OVERSIZE_ERR_MSG
+              You are attempting to check in one or more blobs which exceed the #{file_size_limit}MiB limit:
+
+              #{blob_id_size_msg}
+              To resolve this error, you must either reduce the size of the above blobs, or utilize LFS.
+              You may use "git ls-tree -r HEAD | grep $BLOB_ID" to see the file path.
+              Please refer to #{Rails.application.routes.url_helpers.help_page_url('user/free_push_limit')} and
+              #{Rails.application.routes.url_helpers.help_page_url('administration/settings/account_and_limit_settings')}
+              for further information.
+            OVERSIZE_ERR_MSG
+
             Gitlab::AppJsonLogger.info(
               message: 'Found blob over global limit',
-              blob_sizes: oversized_blobs.map(&:size)
+              blob_sizes: oversized_blobs.map(&:size),
+              blob_details: blob_details
             )
 
-            if enforce_global_file_size_limit?
-              raise ::Gitlab::GitAccess::ForbiddenError,
-                "Changes include a file that is larger than the allowed size of #{file_size_limit} MiB. " \
-                "Use Git LFS to manage this file.)"
-            end
+            raise ::Gitlab::GitAccess::ForbiddenError, oversize_err_msg if enforce_global_file_size_limit?
           end
         end
 
diff --git a/lib/gitlab/checks/security/policy_check.rb b/lib/gitlab/checks/security/policy_check.rb
new file mode 100644
index 00000000000..b2be393351a
--- /dev/null
+++ b/lib/gitlab/checks/security/policy_check.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Checks
+    module Security
+      class PolicyCheck < BaseSingleChecker
+        def validate!; end
+      end
+    end
+  end
+end
+
+Gitlab::Checks::Security::PolicyCheck.prepend_mod
diff --git a/lib/gitlab/checks/single_change_access.rb b/lib/gitlab/checks/single_change_access.rb
index 9f427e98e55..625524cf2bc 100644
--- a/lib/gitlab/checks/single_change_access.rb
+++ b/lib/gitlab/checks/single_change_access.rb
@@ -54,6 +54,7 @@ module Gitlab
         Gitlab::Checks::PushCheck.new(self).validate!
         Gitlab::Checks::BranchCheck.new(self).validate!
         Gitlab::Checks::TagCheck.new(self).validate!
+        Gitlab::Checks::Security::PolicyCheck.new(self).validate!
       end
 
       def commits_check
diff --git a/lib/gitlab/checks/tag_check.rb b/lib/gitlab/checks/tag_check.rb
index 4505bcb5411..d5addab74b8 100644
--- a/lib/gitlab/checks/tag_check.rb
+++ b/lib/gitlab/checks/tag_check.rb
@@ -11,7 +11,8 @@ module Gitlab
         delete_protected_tag_non_web: 'You can only delete protected tags using the web interface.',
         create_protected_tag: 'You are not allowed to create this tag as it is protected.',
         default_branch_collision: 'You cannot use default branch name to create a tag',
-        prohibited_tag_name: 'You cannot create a tag with a prohibited pattern.'
+        prohibited_tag_name: 'You cannot create a tag with a prohibited pattern.',
+        prohibited_tag_name_encoding: 'Tag names must be valid when converted to UTF-8 encoding'
       }.freeze
 
       LOG_MESSAGES = {
@@ -46,6 +47,16 @@ module Gitlab
         if tag_name.start_with?("refs/tags/") # rubocop: disable Style/GuardClause
           raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_tag_name]
         end
+
+        # rubocop: disable Style/GuardClause
+        # rubocop: disable Style/SoleNestedConditional
+        if Feature.enabled?(:prohibited_tag_name_encoding_check, project)
+          unless Gitlab::EncodingHelper.force_encode_utf8(tag_name).valid_encoding?
+            raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_tag_name_encoding]
+          end
+        end
+        # rubocop: enable Style/SoleNestedConditional
+        # rubocop: enable Style/GuardClause
       end
 
       def protected_tag_checks
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-10-19 15:57:54 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-10-19 15:57:54 +0300
commit	419c53ec62de6e97a517abd5fdd4cbde3a942a34 (patch)
tree	1f43a548b46bca8a5fb8fe0c31cef1883d49c5b6 /lib/gitlab/checks
parent	1da20d9135b3ad9e75e65b028bffc921aaf8deb7 (diff)