Add latest changes from gitlab-org/security/gitlab@16-4-stable-ee

3 files changed, 39 insertions, 0 deletions

diff --git a/lib/gitlab/checks/tag_check.rb b/lib/gitlab/checks/tag_check.rb
index 5c43ca946b5..4505bcb5411 100644
--- a/lib/gitlab/checks/tag_check.rb
+++ b/lib/gitlab/checks/tag_check.rb
@@ -39,6 +39,10 @@ module Gitlab
       def prohibited_tag_checks
         return if deletion?
 
+        unless Gitlab::GitRefValidator.validate(tag_name)
+          raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_tag_name]
+        end
+
         if tag_name.start_with?("refs/tags/") # rubocop: disable Style/GuardClause
           raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_tag_name]
         end
diff --git a/lib/gitlab/ci/lint.rb b/lib/gitlab/ci/lint.rb
index e0112a1b1c2..54861e2769e 100644
--- a/lib/gitlab/ci/lint.rb
+++ b/lib/gitlab/ci/lint.rb
@@ -28,6 +28,9 @@ module Gitlab
       def initialize(project:, current_user:, sha: nil)
         @project = project
         @current_user = current_user
+        # If the `sha` is not provided, the default is the project's head commit (or nil). In such case, we
+        # don't need to call `YamlProcessor.verify_project_sha!`, which prevents redundant calls to Gitaly.
+        @verify_project_sha = sha.present?
         @sha = sha || project&.repository&.commit&.sha
       end
 
@@ -77,6 +80,7 @@ module Gitlab
           Gitlab::Ci::YamlProcessor.new(content, project: @project,
                                                  user: @current_user,
                                                  sha: @sha,
+                                                 verify_project_sha: @verify_project_sha,
                                                  logger: logger).execute
         end
       end
diff --git a/lib/gitlab/ci/yaml_processor.rb b/lib/gitlab/ci/yaml_processor.rb
index 3a0173d1548..289f41b4ec7 100644
--- a/lib/gitlab/ci/yaml_processor.rb
+++ b/lib/gitlab/ci/yaml_processor.rb
@@ -8,6 +8,8 @@
 module Gitlab
   module Ci
     class YamlProcessor
+      include Gitlab::Utils::StrongMemoize
+
       ValidationError = Class.new(StandardError)
 
       def initialize(config_content, opts = {})
@@ -28,6 +30,8 @@ module Gitlab
           return Result.new(errors: ['Please provide content of .gitlab-ci.yml'])
         end
 
+        verify_project_sha! if verify_project_sha?
+
         @ci_config = Gitlab::Ci::Config.new(@config_content, **@opts)
 
         unless @ci_config.valid?
@@ -47,6 +51,15 @@ module Gitlab
         @opts[:project]
       end
 
+      def sha
+        @opts[:sha]
+      end
+
+      def verify_project_sha?
+        @opts.delete(:verify_project_sha) || false
+      end
+      strong_memoize_attr :verify_project_sha?
+
       def run_logical_validations!
         @stages = @ci_config.stages
         @jobs = @ci_config.normalized_jobs
@@ -191,6 +204,24 @@ module Gitlab
       def error!(message)
         raise ValidationError, message
       end
+
+      def verify_project_sha!
+        return unless project && sha && project.repository_exists? && project.commit(sha)
+
+        unless project_ref_contains_sha?
+          error!('Could not validate configuration. Config originates from external project')
+        end
+      end
+
+      def project_ref_contains_sha?
+        # A 5-minute cache TTL is sufficient to prevent Gitaly load issues while also mitigating rare
+        # use cases concerning stale data. For example, when an external commit gets merged into the
+        # project, there may be at most a 5-minute window where the `sha` is still considered external.
+        Rails.cache.fetch(['project', project.id, 'ref/contains/sha', sha], expires_in: 5.minutes) do
+          repo = project.repository
+          repo.branch_names_contains(sha, limit: 1).any? || repo.tag_names_contains(sha, limit: 1).any?
+        end
+      end
     end
   end
 end