Commit 7a4d9abf authored by Robert Speicher's avatar Robert Speicher

Update security-harness for Security remote

Updates the pre-push hook to check for dev.gitlab.org *or* the
`gitlab-org/security/` remote.

In order to facilitate a smooth transition for users who already
installed the old version of the hook at some point, we check the
existing hook's SHA against a list of known previous versions.

If the user has a previous version of the payload installed, we simply
upgrade it in-place. Otherwise we fall back to the previous behavior of
warning the user that they have a hook we don't know about.

Further, this update adds colored terminal output in order to draw
attention to the various messages, but will respect a `NO_COLOR`
environment variable to disable this behavior.
parent e960088d
#!/usr/bin/env ruby #!/usr/bin/env ruby
# frozen_string_literal: true
require 'digest' require 'digest'
require 'fileutils' require 'fileutils'
harness_path = File.expand_path('../.git/security_harness', __dir__) if ENV['NO_COLOR']
hook_path = File.expand_path("../.git/hooks/pre-push", __dir__) SHELL_RED = ''
SHELL_GREEN = ''
SHELL_YELLOW = ''
SHELL_CLEAR = ''
else
SHELL_RED = "\e[1;31m"
SHELL_GREEN = "\e[1;32m"
SHELL_YELLOW = "\e[1;33m"
SHELL_CLEAR = "\e[0m"
end
if File.exist?(hook_path) HOOK_PATH = File.expand_path("../.git/hooks/pre-push", __dir__)
# Deal with a pre-existing hook HOOK_DATA = <<~HOOK
source_sum = Digest::SHA256.hexdigest(DATA.read) #!/bin/bash
dest_sum = Digest::SHA256.file(hook_path).hexdigest
if source_sum != dest_sum set -e
puts "#{hook_path} exists and is different from our hook!"
puts "Remove it and re-run this script to continue." url="$2"
harness=`dirname "$0"`/../security_harness
if [ -e "$harness" ]
then
if [[ ("$url" != *"dev.gitlab.org"*) && ("$url" != *"gitlab-org/security/"*) ]]
then
echo "Pushing to remotes other than dev.gitlab.org and gitlab.com/gitlab-org/security has been disabled!"
echo "Run scripts/security-harness to disable this check."
echo
exit 1 exit 1
end fi
else fi
File.open(hook_path, 'w') do |file| HOOK
IO.copy_stream(DATA, file)
end
File.chmod(0755, hook_path) def write_hook
FileUtils.mkdir_p(File.dirname(HOOK_PATH))
File.open(HOOK_PATH, 'w') do |file|
file.write(HOOK_DATA)
end
File.chmod(0755, HOOK_PATH)
end end
# Toggle the harness on or off # Toggle the harness on or off
if File.exist?(harness_path) def toggle
harness_path = File.expand_path('../.git/security_harness', __dir__)
if File.exist?(harness_path)
FileUtils.rm(harness_path) FileUtils.rm(harness_path)
puts "Security harness removed -- you can now push to all remotes." puts "#{SHELL_YELLOW}Security harness removed -- you can now push to all remotes.#{SHELL_CLEAR}"
else else
FileUtils.touch(harness_path) FileUtils.touch(harness_path)
puts "Security harness installed -- you will only be able to push to dev.gitlab.org!" puts "#{SHELL_GREEN}Security harness installed -- you will only be able to push to dev.gitlab.org or gitlab.com/gitlab-org/security!#{SHELL_CLEAR}"
end
end end
__END__ # If we were to change the script and then check for a pre-existing hook before
#!/bin/bash # writing, the check would fail even if the user had an unmodified version of
# the old hook. Checking previous version hashes allows us to safely overwrite a
set -e # script that differs from the current version, as long as it's an old one and
# not custom.
def previous_version?(dest_sum)
# SHA256 hashes of previous iterations of the script contained in `DATA`
%w[
010bf0363a911ebab2bd5728d80795ed02388da51815f0b2530d08ae8ac574f0
].include?(dest_sum)
end
url="$2" if !File.exist?(HOOK_PATH)
harness=`dirname "$0"`/../security_harness write_hook
toggle
else
# Deal with a pre-existing hook
source_sum = Digest::SHA256.hexdigest(HOOK_DATA)
dest_sum = Digest::SHA256.file(HOOK_PATH).hexdigest
if [ -e "$harness" ] if previous_version?(dest_sum)
then # Upgrading from a previous version, update in-place
if [[ "$url" != *"dev.gitlab.org"* ]] write_hook
then toggle
echo "Pushing to remotes other than dev.gitlab.org has been disabled!" elsif source_sum != dest_sum
echo "Run scripts/security-harness to disable this check." # Pre-existing hook we didn't create; do nothing
echo puts "#{SHELL_RED}#{HOOK_PATH} exists and is different from our hook!"
puts "Remove it and re-run this script to continue.#{SHELL_CLEAR}"
exit 1 exit 1
fi else
fi # No hook update needed, just toggle
toggle
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment