Merge branch 'security-406764-16-0' into '16-0-stable-ee'

Block tag names that are prepended with refs/tags/, due to conflicts See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3269 Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> Approved-by: Vasilii Iakliushin <viakliushin@gitlab.com> Reviewed-by: Vasilii Iakliushin <viakliushin@gitlab.com> Co-authored-by: Robert May <rmay@gitlab.com>

Merge branch 'security-406764-16-0' into '16-0-stable-ee'
Block tag names that are prepended with refs/tags/, due to conflicts See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3269 Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> Approved-by: Vasilii Iakliushin <viakliushin@gitlab.com> Reviewed-by: Vasilii Iakliushin <viakliushin@gitlab.com> Co-authored-by: Robert May <rmay@gitlab.com>
ce1d8106 · GitLab Release Tools Bot · 8f558dae · 80e86cec · ce1d8106 · ce1d8106
Commit ce1d8106 authored 2 years ago by GitLab Release Tools Bot
--- a/lib/gitlab/checks/tag_check.rb
+++ b/lib/gitlab/checks/tag_check.rb
@@ -10,7 +10,8 @@ class TagCheck < BaseSingleChecker
          'Only a project maintainer or owner can delete a protected tag.',
        delete_protected_tag_non_web: 'You can only delete protected tags using the web interface.',
        create_protected_tag: 'You are not allowed to create this tag as it is protected.',
-        default_branch_collision: 'You cannot use default branch name to create a tag'
+        default_branch_collision: 'You cannot use default branch name to create a tag',
+        prohibited_tag_name: 'You cannot create a tag with a prohibited pattern.'
      }.freeze

      LOG_MESSAGES = {
@@ -29,11 +30,20 @@ def validate!
        end

        default_branch_collision_check
+        prohibited_tag_checks
        protected_tag_checks
      end

      private

+      def prohibited_tag_checks
+        return if deletion?
+
+        if tag_name.start_with?("refs/tags/") # rubocop: disable Style/GuardClause
+          raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_tag_name]
+        end
+      end
+
      def protected_tag_checks
        logger.log_timed(LOG_MESSAGES[__method__]) do
          return unless ProtectedTag.protected?(project, tag_name) # rubocop:disable Cop/AvoidReturnFromBlocks

--- a/spec/lib/gitlab/checks/tag_check_spec.rb
+++ b/spec/lib/gitlab/checks/tag_check_spec.rb
@@ -2,7 +2,7 @@

 require 'spec_helper'

-RSpec.describe Gitlab::Checks::TagCheck do
+RSpec.describe Gitlab::Checks::TagCheck, feature_category: :source_code_management do
  include_context 'change access checks context'

  describe '#validate!' do
@@ -14,6 +14,29 @@
      expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, 'You are not allowed to change existing tags on this project.')
    end

+    context "prohibited tags check" do
+      it "prohibits tag names that include refs/tags/ at the head" do
+        allow(subject).to receive(:tag_name).and_return("refs/tags/foo")
+
+        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a tag with a prohibited pattern.")
+      end
+
+      it "doesn't prohibit a nested refs/tags/ string in a tag name" do
+        allow(subject).to receive(:tag_name).and_return("fix-for-refs/tags/foo")
+
+        expect { subject.validate! }.not_to raise_error
+      end
+
+      context "deleting a refs/tags headed tag" do
+        let(:newrev) { "0000000000000000000000000000000000000000" }
+        let(:ref) { "refs/tags/refs/tags/267208abfe40e546f5e847444276f7d43a39503e" }
+
+        it "doesn't prohibit the deletion of a refs/tags/ tag name" do
+          expect { subject.validate! }.not_to raise_error
+        end
+      end
+    end
+
    context 'with protected tag' do
      let!(:protected_tag) { create(:protected_tag, project: project, name: 'v*') }