Commit 4d73ef61 authored by Kerri Miller's avatar Kerri Miller

Apply CODEOWNER validations to web requests

We had previously not applied these to web requests, thinking them to be
redundant. However, this poses a potential security issue, so we need to
enable them.

Format error msg for web requests

We'll eventually clean this messaging up for the web, but the simplest
thing we can do is remove the \n characters so that the API can send
(and the front end display) the error message legibly; the \n were
causing us to drop everything after the first line. It's ugly, but it is
approved language and is FAR more helpful for a user to be able to
resolve the issue.
parent 0a49a02f
---
title: Apply CODEOWNERS validations to web requests
merge_request:
author:
type: security
......@@ -12,7 +12,7 @@ module EE
def path_validations
validations = [super].flatten
if !updated_from_web? && project.branch_requires_code_owner_approval?(branch_name)
if project.branch_requires_code_owner_approval?(branch_name)
validations << validate_code_owners
end
......@@ -34,11 +34,13 @@ module EE
matched_rules = loader.entries.collect { |e| "- #{e.pattern}" }
code_owner_path = project.repository.code_owners_blob(ref: branch_name).path || "CODEOWNERS"
"Pushes to protected branches that contain changes to files that\n" \
msg = "Pushes to protected branches that contain changes to files that\n" \
"match patterns defined in `#{code_owner_path}` are disabled for\n" \
"this project. Please submit these changes via a merge request.\n\n" \
"The following pattern(s) from `#{code_owner_path}` were matched:\n" \
"#{matched_rules.join('\n')}\n"
updated_from_web? ? msg.tr("\n", " ") : msg
end
def validate_path_locks?
......
......@@ -89,8 +89,22 @@ describe Gitlab::Checks::DiffCheck do
stub_feature_flags(sectional_codeowners: false)
end
it "returns an error message" do
expect(validation_result).to include("Pushes to protected branches")
context "for a non-web-based request" do
it "returns an error message" do
expect(validation_result).to include("Pushes to protected branches")
expect(validation_result).to include("\n")
end
end
context "for a web-based request" do
before do
expect(subject).to receive(:updated_from_web?).and_return(true)
end
it "returns an error message with newline chars removed" do
expect(validation_result).to include("Pushes to protected branches")
expect(validation_result).not_to include("\n")
end
end
end
......@@ -128,30 +142,16 @@ describe Gitlab::Checks::DiffCheck do
end
context "when the feature is enabled on the project" do
context "updated_from_web? == false" do
before do
expect(subject).to receive(:updated_from_web?).and_return(false)
expect(project).to receive(:branch_requires_code_owner_approval?)
.once.and_return(true)
end
it "returns an array of Proc(s)" do
validations = subject.send(:path_validations)
expect(validations.any?).to be_truthy
expect(validations.any? { |v| !v.is_a? Proc }).to be_falsy
end
before do
expect(project).to receive(:branch_requires_code_owner_approval?)
.once.and_return(true)
end
context "updated_from_web? == true" do
before do
expect(subject).to receive(:updated_from_web?).and_return(true)
expect(project).not_to receive(:branch_requires_code_owner_approval?)
end
it "returns an array of Proc(s)" do
validations = subject.send(:path_validations)
it "returns an empty array" do
expect(subject.send(:path_validations)).to eq([])
end
expect(validations.any?).to be_truthy
expect(validations.any? { |v| !v.is_a? Proc }).to be_falsy
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment