From d2d66de7163c42532c5a1c3cddebb144658c5242 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 13 Dec 2023 09:22:56 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@16-6-stable-ee

---
 lib/gitlab/checks/tag_check.rb | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'lib/gitlab/checks/tag_check.rb')

diff --git a/lib/gitlab/checks/tag_check.rb b/lib/gitlab/checks/tag_check.rb
index d5addab74b8..cdc648bf005 100644
--- a/lib/gitlab/checks/tag_check.rb
+++ b/lib/gitlab/checks/tag_check.rb
@@ -12,6 +12,7 @@ module Gitlab
         create_protected_tag: 'You are not allowed to create this tag as it is protected.',
         default_branch_collision: 'You cannot use default branch name to create a tag',
         prohibited_tag_name: 'You cannot create a tag with a prohibited pattern.',
+        prohibited_sha_tag_name: 'You cannot create a tag with a SHA-1 or SHA-256 tag name.',
         prohibited_tag_name_encoding: 'Tag names must be valid when converted to UTF-8 encoding'
       }.freeze
 
@@ -21,6 +22,8 @@ module Gitlab
         protected_tag_checks: "Checking if you are creating, updating or deleting a protected tag..."
       }.freeze
 
+      STARTS_WITH_SHA_REGEX = %r{\A#{Gitlab::Git::Commit::RAW_FULL_SHA_PATTERN}}o
+
       def validate!
         return unless tag_name
 
@@ -57,6 +60,7 @@ module Gitlab
         end
         # rubocop: enable Style/SoleNestedConditional
         # rubocop: enable Style/GuardClause
+        validate_tag_name_not_sha_like!
       end
 
       def protected_tag_checks
@@ -88,6 +92,12 @@ module Gitlab
           end
         end
       end
+
+      def validate_tag_name_not_sha_like!
+        return unless STARTS_WITH_SHA_REGEX.match?(tag_name)
+
+        raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_sha_tag_name]
+      end
     end
   end
 end
-- 
cgit v1.2.3