Commit 844cca4a authored by Douwe Maan's avatar Douwe Maan

Add Git hook to validate maximum file size.

parent ccf79272
...@@ -3,6 +3,7 @@ v 7.12 (Unreleased) ...@@ -3,6 +3,7 @@ v 7.12 (Unreleased)
- Enhance LDAP group synchronization to check also for member attributes that only contain "uid=<username>" - Enhance LDAP group synchronization to check also for member attributes that only contain "uid=<username>"
- Enhance LDAP group synchronization to check also for submember attributes - Enhance LDAP group synchronization to check also for submember attributes
- Prevent LDAP group sync from removing a group's last owner - Prevent LDAP group sync from removing a group's last owner
- Add Git hook to validate maximum file size.
v 7.11.4 v 7.11.4
- no changes specific to EE - no changes specific to EE
......
...@@ -20,7 +20,7 @@ class Admin::GitHooksController < Admin::ApplicationController ...@@ -20,7 +20,7 @@ class Admin::GitHooksController < Admin::ApplicationController
def git_hook_params def git_hook_params
params.require(:git_hook).permit(:deny_delete_tag, :delete_branch_regex, params.require(:git_hook).permit(:deny_delete_tag, :delete_branch_regex,
:commit_message_regex, :force_push_regex, :author_email_regex, :member_check, :file_name_regex) :commit_message_regex, :force_push_regex, :author_email_regex, :member_check, :file_name_regex, :max_file_size)
end end
def git_hook def git_hook
......
...@@ -28,6 +28,6 @@ class Projects::GitHooksController < Projects::ApplicationController ...@@ -28,6 +28,6 @@ class Projects::GitHooksController < Projects::ApplicationController
# Only allow a trusted parameter "white list" through. # Only allow a trusted parameter "white list" through.
def git_hook_params def git_hook_params
params.require(:git_hook).permit(:deny_delete_tag, :delete_branch_regex, params.require(:git_hook).permit(:deny_delete_tag, :delete_branch_regex,
:commit_message_regex, :force_push_regex, :author_email_regex, :member_check, :file_name_regex) :commit_message_regex, :force_push_regex, :author_email_regex, :member_check, :file_name_regex, :max_file_size)
end end
end end
...@@ -16,6 +16,10 @@ class GitHook < ActiveRecord::Base ...@@ -16,6 +16,10 @@ class GitHook < ActiveRecord::Base
end end
def commit_validation? def commit_validation?
commit_message_regex.present? || author_email_regex.present? || member_check || file_name_regex.present? commit_message_regex.present? ||
author_email_regex.present? ||
member_check ||
file_name_regex.present? ||
max_file_size > 0
end end
end end
...@@ -87,7 +87,7 @@ ...@@ -87,7 +87,7 @@
.form-group .form-group
= f.label :max_attachment_size, 'Maximum attachment size (MB)', class: 'control-label col-sm-2' = f.label :max_attachment_size, 'Maximum attachment size (MB)', class: 'control-label col-sm-2'
.col-sm-10 .col-sm-10
= f.number_field :max_attachment_size, class: 'form-control' = f.number_field :max_attachment_size, class: 'form-control', min: 0
.form-group .form-group
= f.label :restricted_signup_domains, 'Restricted domains for sign-ups', class: 'control-label col-sm-2' = f.label :restricted_signup_domains, 'Restricted domains for sign-ups', class: 'control-label col-sm-2'
.col-sm-10 .col-sm-10
......
...@@ -40,8 +40,8 @@ ...@@ -40,8 +40,8 @@
%span %span
Hooks Hooks
= nav_link(controller: :git_hooks) do = nav_link(controller: :git_hooks) do
= link_to admin_git_hooks_path, title: 'Git Hooks' do = link_to admin_git_hooks_path, title: 'Git Hooks', data: {placement: 'right'} do
%i.fa.fa-git-square = icon('git-square fw')
%span %span
Git Hooks Git Hooks
= nav_link(controller: :background_jobs) do = nav_link(controller: :background_jobs) do
......
...@@ -48,5 +48,13 @@ ...@@ -48,5 +48,13 @@
to be pushed. to be pushed.
If this field is empty it allows any filenames. If this field is empty it allows any filenames.
.form-group
= f.label :max_file_size, "Maximum file size (MB)", class: 'control-label'
.col-sm-10
= f.number_field :max_file_size, class: "form-control", min: 0
.help-block
Pushes that contain added or updated files that exceed this file size are rejected.
Set to 0 to allow files of any size.
.form-actions .form-actions
= f.submit "Save Git hooks", class: "btn btn-create" = f.submit "Save Git hooks", class: "btn btn-create"
class AddMaxFileSizeToGitHooks < ActiveRecord::Migration
def change
add_column :git_hooks, :max_file_size, :integer, default: 0
end
end
...@@ -11,7 +11,7 @@ ...@@ -11,7 +11,7 @@
# #
# It's strongly recommended that you check this file into your version control system. # It's strongly recommended that you check this file into your version control system.
ActiveRecord::Schema.define(version: 20150529150354) do ActiveRecord::Schema.define(version: 20150605131047) do
# These are extensions that must be enabled in order to support this database # These are extensions that must be enabled in order to support this database
enable_extension "plpgsql" enable_extension "plpgsql"
...@@ -133,6 +133,7 @@ ActiveRecord::Schema.define(version: 20150529150354) do ...@@ -133,6 +133,7 @@ ActiveRecord::Schema.define(version: 20150529150354) do
t.boolean "member_check", default: false, null: false t.boolean "member_check", default: false, null: false
t.string "file_name_regex" t.string "file_name_regex"
t.boolean "is_sample", default: false t.boolean "is_sample", default: false
t.integer "max_file_size", default: 0
end end
create_table "historical_data", force: true do |t| create_table "historical_data", force: true do |t|
......
...@@ -226,6 +226,17 @@ module Gitlab ...@@ -226,6 +226,17 @@ module Gitlab
end end
end end
end end
if git_hook.max_file_size > 0
commit.diffs.each do |diff|
next if diff.deleted_file
blob = project.repository.blob_at(commit.id, diff.new_path)
if blob.size > git_hook.max_file_size.megabytes
return build_status_object(false, "File #{diff.new_path.inspect} is larger than the allowed size of #{git_hook.max_file_size} MB")
end
end
end
end end
end end
end end
......
...@@ -294,5 +294,23 @@ describe Gitlab::GitAccess do ...@@ -294,5 +294,23 @@ describe Gitlab::GitAccess do
access.git_hook_check(user, project, 'refs/heads/master', '913c66a37', '33f3729a4').allowed?.should be_truthy access.git_hook_check(user, project, 'refs/heads/master', '913c66a37', '33f3729a4').allowed?.should be_truthy
end end
end end
describe "max file size check" do
before do
allow_any_instance_of(Gitlab::Git::Blob).to receive(:size).and_return(1.5.megabytes.to_i)
end
it "returns false when size is too large" do
project.create_git_hook
project.git_hook.update(max_file_size: 1)
access.git_hook_check(user, project, 'refs/heads/master', 'cfe32cf6', '913c66a37').allowed?.should be_falsey
end
it "returns true when size is allowed" do
project.create_git_hook
project.git_hook.update(max_file_size: 2)
access.git_hook_check(user, project, 'refs/heads/master', 'cfe32cf6', '913c66a37').allowed?.should be_truthy
end
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment