101 lines
2.7 KiB
Ruby
101 lines
2.7 KiB
Ruby
|
# frozen_string_literal: true
|
||
|
|
||
|
module Gitlab
|
||
|
module Checks
|
||
|
class DiffCheck < BaseChecker
|
||
|
include Gitlab::Utils::StrongMemoize
|
||
|
|
||
|
LOG_MESSAGES = {
|
||
|
validate_file_paths: "Validating diffs' file paths...",
|
||
|
diff_content_check: "Validating diff contents..."
|
||
|
}.freeze
|
||
|
|
||
|
def validate!
|
||
|
return if deletion? || newrev.nil?
|
||
|
return unless should_run_diff_validations?
|
||
|
return if commits.empty?
|
||
|
return unless uses_raw_delta_validations?
|
||
|
|
||
|
file_paths = []
|
||
|
process_raw_deltas do |diff|
|
||
|
file_paths << (diff.new_path || diff.old_path)
|
||
|
|
||
|
validate_diff(diff)
|
||
|
end
|
||
|
|
||
|
validate_file_paths(file_paths)
|
||
|
end
|
||
|
|
||
|
private
|
||
|
|
||
|
def should_run_diff_validations?
|
||
|
validate_lfs_file_locks?
|
||
|
end
|
||
|
|
||
|
def validate_lfs_file_locks?
|
||
|
strong_memoize(:validate_lfs_file_locks) do
|
||
|
project.lfs_enabled? && project.any_lfs_file_locks?
|
||
|
end
|
||
|
end
|
||
|
|
||
|
def uses_raw_delta_validations?
|
||
|
validations_for_diff.present? || path_validations.present?
|
||
|
end
|
||
|
|
||
|
def validate_diff(diff)
|
||
|
validations_for_diff.each do |validation|
|
||
|
if error = validation.call(diff)
|
||
|
raise ::Gitlab::GitAccess::UnauthorizedError, error
|
||
|
end
|
||
|
end
|
||
|
end
|
||
|
|
||
|
# Method overwritten in EE to inject custom validations
|
||
|
def validations_for_diff
|
||
|
[]
|
||
|
end
|
||
|
|
||
|
def path_validations
|
||
|
validate_lfs_file_locks? ? [lfs_file_locks_validation] : []
|
||
|
end
|
||
|
|
||
|
def process_raw_deltas
|
||
|
logger.log_timed(LOG_MESSAGES[:diff_content_check]) do
|
||
|
# n+1: https://gitlab.com/gitlab-org/gitlab-ee/issues/3593
|
||
|
::Gitlab::GitalyClient.allow_n_plus_1_calls do
|
||
|
commits.each do |commit|
|
||
|
logger.check_timeout_reached
|
||
|
|
||
|
commit.raw_deltas.each do |diff|
|
||
|
yield(diff)
|
||
|
end
|
||
|
end
|
||
|
end
|
||
|
end
|
||
|
end
|
||
|
|
||
|
def validate_file_paths(file_paths)
|
||
|
logger.log_timed(LOG_MESSAGES[__method__]) do
|
||
|
path_validations.each do |validation|
|
||
|
if error = validation.call(file_paths)
|
||
|
raise ::Gitlab::GitAccess::UnauthorizedError, error
|
||
|
end
|
||
|
end
|
||
|
end
|
||
|
end
|
||
|
|
||
|
# rubocop: disable CodeReuse/ActiveRecord
|
||
|
def lfs_file_locks_validation
|
||
|
lambda do |paths|
|
||
|
lfs_lock = project.lfs_file_locks.where(path: paths).where.not(user_id: user_access.user.id).take
|
||
|
|
||
|
if lfs_lock
|
||
|
return "The path '#{lfs_lock.path}' is locked in Git LFS by #{lfs_lock.user.name}"
|
||
|
end
|
||
|
end
|
||
|
end
|
||
|
# rubocop: enable CodeReuse/ActiveRecord
|
||
|
end
|
||
|
end
|
||
|
end
|