Apply CODEOWNER validations to web requests

We had previously not applied these to web requests, thinking them to be redundant. However, this poses a potential security issue, so we need to enable them. Format error msg for web requests We'll eventually clean this messaging up for the web, but the simplest thing we can do is remove the \n characters so that the API can send (and the front end display) the error message legibly; the \n were causing us to drop everything after the first line. It's ugly, but it is approved language and is FAR more helpful for a user to be able to resolve the issue.

Apply CODEOWNER validations to web requests
We had previously not applied these to web requests, thinking them to be redundant. However, this poses a potential security issue, so we need to enable them. Format error msg for web requests We'll eventually clean this messaging up for the web, but the simplest thing we can do is remove the \n characters so that the API can send (and the front end display) the error message legibly; the \n were causing us to drop everything after the first line. It's ugly, but it is approved language and is FAR more helpful for a user to be able to resolve the issue.
4d73ef61 · Kerri Miller · 0a49a02f · 4d73ef61 · 4d73ef61 · 4d73ef61
Commit 4d73ef61 authored Mar 17, 2020 by Kerri Miller
3 changed files
--- a/changelogs/unreleased/security-apply-codeowners-checks-to-web_ui.yml
+++ b/changelogs/unreleased/security-apply-codeowners-checks-to-web_ui.yml
+---
+title: Apply CODEOWNERS validations to web requests
+merge_request:
+author:
+type: security
--- a/ee/lib/ee/gitlab/checks/diff_check.rb
+++ b/ee/lib/ee/gitlab/checks/diff_check.rb
@@ -12,7 +12,7 @@ module EE
        def path_validations
          validations = [super].flatten
-          if !updated_from_web? && project.branch_requires_code_owner_approval?(branch_name)
+          if project.branch_requires_code_owner_approval?(branch_name)
            validations << validate_code_owners
          end
@@ -34,11 +34,13 @@ module EE
          matched_rules = loader.entries.collect { |e| "- #{e.pattern}" }
          code_owner_path = project.repository.code_owners_blob(ref: branch_name).path || "CODEOWNERS"
-          "Pushes to protected branches that contain changes to files that\n" \
+          msg = "Pushes to protected branches that contain changes to files that\n" \
            "match patterns defined in `#{code_owner_path}` are disabled for\n" \
            "this project. Please submit these changes via a merge request.\n\n" \
            "The following pattern(s) from `#{code_owner_path}` were matched:\n" \
            "#{matched_rules.join('\n')}\n"
+          updated_from_web? ? msg.tr("\n", " ") : msg
        end
        def validate_path_locks?

--- a/ee/spec/lib/gitlab/checks/diff_check_spec.rb
+++ b/ee/spec/lib/gitlab/checks/diff_check_spec.rb
@@ -89,8 +89,22 @@ describe Gitlab::Checks::DiffCheck do
            stub_feature_flags(sectional_codeowners: false)
          end
-          it "returns an error message" do
+          context "for a non-web-based request" do
-            expect(validation_result).to include("Pushes to protected branches")
+            it "returns an error message" do
+              expect(validation_result).to include("Pushes to protected branches")
+              expect(validation_result).to include("\n")
+            end
+          end
+          context "for a web-based request" do
+            before do
+              expect(subject).to receive(:updated_from_web?).and_return(true)
+            end
+            it "returns an error message with newline chars removed" do
+              expect(validation_result).to include("Pushes to protected branches")
+              expect(validation_result).not_to include("\n")
+            end
          end
        end
@@ -128,30 +142,16 @@ describe Gitlab::Checks::DiffCheck do
      end
      context "when the feature is enabled on the project" do
-        context "updated_from_web? == false" do
+        before do
-          before do
+          expect(project).to receive(:branch_requires_code_owner_approval?)
-            expect(subject).to receive(:updated_from_web?).and_return(false)
+            .once.and_return(true)
-            expect(project).to receive(:branch_requires_code_owner_approval?)
-              .once.and_return(true)
-          end
-          it "returns an array of Proc(s)" do
-            validations = subject.send(:path_validations)
-            expect(validations.any?).to be_truthy
-            expect(validations.any? { |v| !v.is_a? Proc }).to be_falsy
-          end
        end
-        context "updated_from_web? == true" do
+        it "returns an array of Proc(s)" do
-          before do
+          validations = subject.send(:path_validations)
-            expect(subject).to receive(:updated_from_web?).and_return(true)
-            expect(project).not_to receive(:branch_requires_code_owner_approval?)
-          end
-          it "returns an empty array" do
+          expect(validations.any?).to be_truthy
-            expect(subject.send(:path_validations)).to eq([])
+          expect(validations.any? { |v| !v.is_a? Proc }).to be_falsy
-          end
        end
      end
    end