Skip to content
Snippets Groups Projects
Commit dea53505 authored by Joe Woodward's avatar Joe Woodward Committed by GitLab Release Tools Bot
Browse files

Prevent tag names starting with SHA-1 and SHA-256 values

Merge branch 'security-431345-tag-naming-commit-sha-16-4' into '16-4-stable-ee'

See merge request gitlab-org/security/gitlab!3748

Changelog: security
parent 37f54132
No related merge requests found
......@@ -97,6 +97,19 @@ To create a tag from the GitLab UI:
create a lightweight tag.
1. Select **Create tag**.
## Name your tag
Git enforces [tag name rules](https://git-scm.com/docs/git-check-ref-format)
to help ensure tag names remain compatible with other tools. GitLab
adds extra requirements for tag names, and provides benefits for well-structured tag names.
GitLab enforces these additional rules on all tags:
- No spaces are allowed in tag names.
- Tag names starting with 40 or 64 hexadecimal characters are prohibited, because they are similar to Git commit hashes.
- Tag names cannot start with `-`, `refs/heads`, `refs/tags`, or `refs/remotes`
- Tag names are case-sensitive.
## Prevent tag deletion **(PREMIUM ALL)**
To prevent users from removing a tag with `git push`, create a [push rule](../push_rules.md).
......
......@@ -11,7 +11,8 @@ class TagCheck < BaseSingleChecker
delete_protected_tag_non_web: 'You can only delete protected tags using the web interface.',
create_protected_tag: 'You are not allowed to create this tag as it is protected.',
default_branch_collision: 'You cannot use default branch name to create a tag',
prohibited_tag_name: 'You cannot create a tag with a prohibited pattern.'
prohibited_tag_name: 'You cannot create a tag with a prohibited pattern.',
prohibited_sha_tag_name: 'You cannot create a tag with a SHA-1 or SHA-256 tag name.'
}.freeze
LOG_MESSAGES = {
......@@ -20,6 +21,8 @@ class TagCheck < BaseSingleChecker
protected_tag_checks: "Checking if you are creating, updating or deleting a protected tag..."
}.freeze
STARTS_WITH_SHA_REGEX = %r{\A#{Gitlab::Git::Commit::RAW_FULL_SHA_PATTERN}}o
def validate!
return unless tag_name
......@@ -46,6 +49,8 @@ def prohibited_tag_checks
if tag_name.start_with?("refs/tags/") # rubocop: disable Style/GuardClause
raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_tag_name]
end
validate_tag_name_not_sha_like!
end
def protected_tag_checks
......@@ -77,6 +82,12 @@ def default_branch_collision_check
end
end
end
def validate_tag_name_not_sha_like!
return unless STARTS_WITH_SHA_REGEX.match?(tag_name)
raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_sha_tag_name]
end
end
end
end
......@@ -41,6 +41,66 @@
expect { subject.validate! }.not_to raise_error
end
end
it "forbids SHA-1 values" do
allow(subject)
.to receive(:tag_name)
.and_return("267208abfe40e546f5e847444276f7d43a39503e")
expect { subject.validate! }.to raise_error(
Gitlab::GitAccess::ForbiddenError,
"You cannot create a tag with a SHA-1 or SHA-256 tag name."
)
end
it "forbids SHA-256 values" do
allow(subject)
.to receive(:tag_name)
.and_return("09b9fd3ea68e9b95a51b693a29568c898e27d1476bbd83c825664f18467fc175")
expect { subject.validate! }.to raise_error(
Gitlab::GitAccess::ForbiddenError,
"You cannot create a tag with a SHA-1 or SHA-256 tag name."
)
end
it "forbids '{SHA-1}{+anything}' values" do
allow(subject)
.to receive(:tag_name)
.and_return("267208abfe40e546f5e847444276f7d43a39503e-")
expect { subject.validate! }.to raise_error(
Gitlab::GitAccess::ForbiddenError,
"You cannot create a tag with a SHA-1 or SHA-256 tag name."
)
end
it "forbids '{SHA-256}{+anything} values" do
allow(subject)
.to receive(:tag_name)
.and_return("09b9fd3ea68e9b95a51b693a29568c898e27d1476bbd83c825664f18467fc175-")
expect { subject.validate! }.to raise_error(
Gitlab::GitAccess::ForbiddenError,
"You cannot create a tag with a SHA-1 or SHA-256 tag name."
)
end
it "allows SHA-1 values to be appended to the tag name" do
allow(subject)
.to receive(:tag_name)
.and_return("fix-267208abfe40e546f5e847444276f7d43a39503e")
expect { subject.validate! }.not_to raise_error
end
it "allows SHA-256 values to be appended to the tag name" do
allow(subject)
.to receive(:tag_name)
.and_return("fix-09b9fd3ea68e9b95a51b693a29568c898e27d1476bbd83c825664f18467fc175")
expect { subject.validate! }.not_to raise_error
end
end
context 'with protected tag' do
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment