diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-09-28 01:25:55 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-09-28 01:25:55 +0300 |
commit | f0f3848e7a0b458c35a1adf3cb1cca29a205a60e (patch) | |
tree | 99be436b75910a7242204c42eb8196ab3ac3e826 /lib | |
parent | 6d091758c4b17e6463a4476cab30d8bf258a3400 (diff) |
Add latest changes from gitlab-org/security/gitlab@16-4-stable-ee
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gitlab/checks/tag_check.rb | 4 | ||||
-rw-r--r-- | lib/gitlab/ci/lint.rb | 4 | ||||
-rw-r--r-- | lib/gitlab/ci/yaml_processor.rb | 31 |
3 files changed, 39 insertions, 0 deletions
diff --git a/lib/gitlab/checks/tag_check.rb b/lib/gitlab/checks/tag_check.rb index 5c43ca946b5..4505bcb5411 100644 --- a/lib/gitlab/checks/tag_check.rb +++ b/lib/gitlab/checks/tag_check.rb @@ -39,6 +39,10 @@ module Gitlab def prohibited_tag_checks return if deletion? + unless Gitlab::GitRefValidator.validate(tag_name) + raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_tag_name] + end + if tag_name.start_with?("refs/tags/") # rubocop: disable Style/GuardClause raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_tag_name] end diff --git a/lib/gitlab/ci/lint.rb b/lib/gitlab/ci/lint.rb index e0112a1b1c2..54861e2769e 100644 --- a/lib/gitlab/ci/lint.rb +++ b/lib/gitlab/ci/lint.rb @@ -28,6 +28,9 @@ module Gitlab def initialize(project:, current_user:, sha: nil) @project = project @current_user = current_user + # If the `sha` is not provided, the default is the project's head commit (or nil). In such case, we + # don't need to call `YamlProcessor.verify_project_sha!`, which prevents redundant calls to Gitaly. + @verify_project_sha = sha.present? @sha = sha || project&.repository&.commit&.sha end @@ -77,6 +80,7 @@ module Gitlab Gitlab::Ci::YamlProcessor.new(content, project: @project, user: @current_user, sha: @sha, + verify_project_sha: @verify_project_sha, logger: logger).execute end end diff --git a/lib/gitlab/ci/yaml_processor.rb b/lib/gitlab/ci/yaml_processor.rb index 3a0173d1548..289f41b4ec7 100644 --- a/lib/gitlab/ci/yaml_processor.rb +++ b/lib/gitlab/ci/yaml_processor.rb @@ -8,6 +8,8 @@ module Gitlab module Ci class YamlProcessor + include Gitlab::Utils::StrongMemoize + ValidationError = Class.new(StandardError) def initialize(config_content, opts = {}) @@ -28,6 +30,8 @@ module Gitlab return Result.new(errors: ['Please provide content of .gitlab-ci.yml']) end + verify_project_sha! if verify_project_sha? + @ci_config = Gitlab::Ci::Config.new(@config_content, **@opts) unless @ci_config.valid? @@ -47,6 +51,15 @@ module Gitlab @opts[:project] end + def sha + @opts[:sha] + end + + def verify_project_sha? + @opts.delete(:verify_project_sha) || false + end + strong_memoize_attr :verify_project_sha? + def run_logical_validations! @stages = @ci_config.stages @jobs = @ci_config.normalized_jobs @@ -191,6 +204,24 @@ module Gitlab def error!(message) raise ValidationError, message end + + def verify_project_sha! + return unless project && sha && project.repository_exists? && project.commit(sha) + + unless project_ref_contains_sha? + error!('Could not validate configuration. Config originates from external project') + end + end + + def project_ref_contains_sha? + # A 5-minute cache TTL is sufficient to prevent Gitaly load issues while also mitigating rare + # use cases concerning stale data. For example, when an external commit gets merged into the + # project, there may be at most a 5-minute window where the `sha` is still considered external. + Rails.cache.fetch(['project', project.id, 'ref/contains/sha', sha], expires_in: 5.minutes) do + repo = project.repository + repo.branch_names_contains(sha, limit: 1).any? || repo.tag_names_contains(sha, limit: 1).any? + end + end end end end |