Apply CODEOWNER validations to web requests

We had previously not applied these to web requests, thinking them to be redundant. However, this poses a potential security issue, so we need to enable them. Format error msg for web requests We'll eventually clean this messaging up for the web, but the simplest thing we can do is remove the \n characters so that the API can send (and the front end display) the error message legibly; the \n were causing us to drop everything after the first line. It's ugly, but it is approved language and is FAR more helpful for a user to be able to resolve the issue.

Apply CODEOWNER validations to web requests
We had previously not applied these to web requests, thinking them to be redundant. However, this poses a potential security issue, so we need to enable them. Format error msg for web requests We'll eventually clean this messaging up for the web, but the simplest thing we can do is remove the \n characters so that the API can send (and the front end display) the error message legibly; the \n were causing us to drop everything after the first line. It's ugly, but it is approved language and is FAR more helpful for a user to be able to resolve the issue.
4d73ef61 · Kerri Miller · 0a49a02f · 4d73ef61 · 4d73ef61 · 4d73ef61
Commit 4d73ef61 authored Mar 17, 2020 by Kerri Miller
3 changed files
--- a/changelogs/unreleased/security-apply-codeowners-checks-to-web_ui.yml
+++ b/changelogs/unreleased/security-apply-codeowners-checks-to-web_ui.yml
+---
+title: Apply CODEOWNERS validations to web requests
+merge_request:
+author:
+type: security
--- a/ee/lib/ee/gitlab/checks/diff_check.rb
+++ b/ee/lib/ee/gitlab/checks/diff_check.rb
@@ -12,7 +12,7 @@ module EE
        def path_validations
          validations = [super].flatten

-          if !updated_from_web? && project.branch_requires_code_owner_approval?(branch_name)
+          if project.branch_requires_code_owner_approval?(branch_name)
            validations << validate_code_owners
          end

@@ -34,11 +34,13 @@ module EE
          matched_rules = loader.entries.collect { |e| "- #{e.pattern}" }
          code_owner_path = project.repository.code_owners_blob(ref: branch_name).path || "CODEOWNERS"

-          "Pushes to protected branches that contain changes to files that\n" \
+          msg = "Pushes to protected branches that contain changes to files that\n" \
            "match patterns defined in `#{code_owner_path}` are disabled for\n" \
            "this project. Please submit these changes via a merge request.\n\n" \
            "The following pattern(s) from `#{code_owner_path}` were matched:\n" \
            "#{matched_rules.join('\n')}\n"
+
+          updated_from_web? ? msg.tr("\n", " ") : msg
        end

        def validate_path_locks?

--- a/ee/spec/lib/gitlab/checks/diff_check_spec.rb
+++ b/ee/spec/lib/gitlab/checks/diff_check_spec.rb
@@ -89,8 +89,22 @@ describe Gitlab::Checks::DiffCheck do
            stub_feature_flags(sectional_codeowners: false)
          end

-          it "returns an error message" do
-            expect(validation_result).to include("Pushes to protected branches")
+          context "for a non-web-based request" do
+            it "returns an error message" do
+              expect(validation_result).to include("Pushes to protected branches")
+              expect(validation_result).to include("\n")
+            end
+          end
+
+          context "for a web-based request" do
+            before do
+              expect(subject).to receive(:updated_from_web?).and_return(true)
+            end
+
+            it "returns an error message with newline chars removed" do
+              expect(validation_result).to include("Pushes to protected branches")
+              expect(validation_result).not_to include("\n")
+            end
          end
        end

@@ -128,30 +142,16 @@ describe Gitlab::Checks::DiffCheck do
      end

      context "when the feature is enabled on the project" do
-        context "updated_from_web? == false" do
-          before do
-            expect(subject).to receive(:updated_from_web?).and_return(false)
-            expect(project).to receive(:branch_requires_code_owner_approval?)
-              .once.and_return(true)
-          end
-
-          it "returns an array of Proc(s)" do
-            validations = subject.send(:path_validations)
-
-            expect(validations.any?).to be_truthy
-            expect(validations.any? { |v| !v.is_a? Proc }).to be_falsy
-          end
+        before do
+          expect(project).to receive(:branch_requires_code_owner_approval?)
+            .once.and_return(true)
        end

-        context "updated_from_web? == true" do
-          before do
-            expect(subject).to receive(:updated_from_web?).and_return(true)
-            expect(project).not_to receive(:branch_requires_code_owner_approval?)
-          end
+        it "returns an array of Proc(s)" do
+          validations = subject.send(:path_validations)

-          it "returns an empty array" do
-            expect(subject.send(:path_validations)).to eq([])
-          end
+          expect(validations.any?).to be_truthy
+          expect(validations.any? { |v| !v.is_a? Proc }).to be_falsy
        end
      end
    end