diff options
author | John Jarvis <jarv@gitlab.com> | 2018-12-27 14:02:45 +0300 |
---|---|---|
committer | John Jarvis <jarv@gitlab.com> | 2018-12-27 14:02:45 +0300 |
commit | b0e6341ad176abe903c5117c1c0a10ffd25de55b (patch) | |
tree | 1e5928e47bc0966f17a34b35d28b96870b8b8925 /lib | |
parent | 7cb3332e53c3131dcdc609aff64bb7a567bd8a63 (diff) | |
parent | 3a2ffac45a4d92da6d46a98d7aca586eec8df253 (diff) |
Merge branch 'security-11-6-secret-ci-variables-exposed' into 'security-11-6'
[11.6] Secret CI variables can exposed by creating a tag with the same name as an existing protected branch
See merge request gitlab/gitlabhq!2684
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gitlab/ci/pipeline/chain/command.rb | 8 | ||||
-rw-r--r-- | lib/gitlab/ci/pipeline/chain/validate/repository.rb | 4 | ||||
-rw-r--r-- | lib/gitlab/git.rb | 4 |
3 files changed, 13 insertions, 3 deletions
diff --git a/lib/gitlab/ci/pipeline/chain/command.rb b/lib/gitlab/ci/pipeline/chain/command.rb index 100b9521412..90208352c55 100644 --- a/lib/gitlab/ci/pipeline/chain/command.rb +++ b/lib/gitlab/ci/pipeline/chain/command.rb @@ -54,7 +54,13 @@ module Gitlab def protected_ref? strong_memoize(:protected_ref) do - project.protected_for?(ref) + project.protected_for?(origin_ref) + end + end + + def ambiguous_ref? + strong_memoize(:ambiguous_ref) do + project.repository.ambiguous_ref?(origin_ref) end end end diff --git a/lib/gitlab/ci/pipeline/chain/validate/repository.rb b/lib/gitlab/ci/pipeline/chain/validate/repository.rb index d88851d8245..9c6c2bc8e25 100644 --- a/lib/gitlab/ci/pipeline/chain/validate/repository.rb +++ b/lib/gitlab/ci/pipeline/chain/validate/repository.rb @@ -16,6 +16,10 @@ module Gitlab unless @command.sha return error('Commit not found') end + + if @command.ambiguous_ref? + return error('Ref is ambiguous') + end end def break? diff --git a/lib/gitlab/git.rb b/lib/gitlab/git.rb index c4aac228b2f..44a62586a23 100644 --- a/lib/gitlab/git.rb +++ b/lib/gitlab/git.rb @@ -54,11 +54,11 @@ module Gitlab end def tag_ref?(ref) - ref.start_with?(TAG_REF_PREFIX) + ref =~ /^#{TAG_REF_PREFIX}.+/ end def branch_ref?(ref) - ref.start_with?(BRANCH_REF_PREFIX) + ref =~ /^#{BRANCH_REF_PREFIX}.+/ end def blank_ref?(ref) |