Prevent tag names starting with SHA-1 and SHA-256 values

Merge branch 'security-431345-tag-naming-commit-sha-16-4' into '16-4-stable-ee' See merge request gitlab-org/security/gitlab!3748 Changelog: security

Prevent tag names starting with SHA-1 and SHA-256 values
Merge branch 'security-431345-tag-naming-commit-sha-16-4' into '16-4-stable-ee' See merge request gitlab-org/security/gitlab!3748 Changelog: security
dea53505 · Joe Woodward · GitLab Release Tools Bot · 37f54132 · dea53505 · dea53505
Commit dea53505 authored 1 year ago by Joe Woodward Committed by GitLab Release Tools Bot 1 year ago
--- a/doc/user/project/repository/tags/index.md
+++ b/doc/user/project/repository/tags/index.md
@@ -97,6 +97,19 @@ To create a tag from the GitLab UI:
   create a lightweight tag.
 1. Select **Create tag**.

+## Name your tag
+
+Git enforces [tag name rules](https://git-scm.com/docs/git-check-ref-format)
+to help ensure tag names remain compatible with other tools. GitLab
+adds extra requirements for tag names, and provides benefits for well-structured tag names.
+
+GitLab enforces these additional rules on all tags:
+
+- No spaces are allowed in tag names.
+- Tag names starting with 40 or 64 hexadecimal characters are prohibited, because they are similar to Git commit hashes.
+- Tag names cannot start with `-`, `refs/heads`, `refs/tags`, or `refs/remotes`
+- Tag names are case-sensitive.
+
 ## Prevent tag deletion **(PREMIUM ALL)**

 To prevent users from removing a tag with `git push`, create a [push rule](../push_rules.md).

--- a/lib/gitlab/checks/tag_check.rb
+++ b/lib/gitlab/checks/tag_check.rb
@@ -11,7 +11,8 @@ class TagCheck < BaseSingleChecker
        delete_protected_tag_non_web: 'You can only delete protected tags using the web interface.',
        create_protected_tag: 'You are not allowed to create this tag as it is protected.',
        default_branch_collision: 'You cannot use default branch name to create a tag',
-        prohibited_tag_name: 'You cannot create a tag with a prohibited pattern.'
+        prohibited_tag_name: 'You cannot create a tag with a prohibited pattern.',
+        prohibited_sha_tag_name: 'You cannot create a tag with a SHA-1 or SHA-256 tag name.'
      }.freeze

      LOG_MESSAGES = {
@@ -20,6 +21,8 @@ class TagCheck < BaseSingleChecker
        protected_tag_checks: "Checking if you are creating, updating or deleting a protected tag..."
      }.freeze

+      STARTS_WITH_SHA_REGEX = %r{\A#{Gitlab::Git::Commit::RAW_FULL_SHA_PATTERN}}o
+
      def validate!
        return unless tag_name

@@ -46,6 +49,8 @@ def prohibited_tag_checks
        if tag_name.start_with?("refs/tags/") # rubocop: disable Style/GuardClause
          raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_tag_name]
        end
+
+        validate_tag_name_not_sha_like!
      end

      def protected_tag_checks
@@ -77,6 +82,12 @@ def default_branch_collision_check
          end
        end
      end
+
+      def validate_tag_name_not_sha_like!
+        return unless STARTS_WITH_SHA_REGEX.match?(tag_name)
+
+        raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_sha_tag_name]
+      end
    end
  end
 end
--- a/spec/lib/gitlab/checks/tag_check_spec.rb
+++ b/spec/lib/gitlab/checks/tag_check_spec.rb
@@ -41,6 +41,66 @@
          expect { subject.validate! }.not_to raise_error
        end
      end
+
+      it "forbids SHA-1 values" do
+        allow(subject)
+          .to receive(:tag_name)
+          .and_return("267208abfe40e546f5e847444276f7d43a39503e")
+
+        expect { subject.validate! }.to raise_error(
+          Gitlab::GitAccess::ForbiddenError,
+          "You cannot create a tag with a SHA-1 or SHA-256 tag name."
+        )
+      end
+
+      it "forbids SHA-256 values" do
+        allow(subject)
+          .to receive(:tag_name)
+          .and_return("09b9fd3ea68e9b95a51b693a29568c898e27d1476bbd83c825664f18467fc175")
+
+        expect { subject.validate! }.to raise_error(
+          Gitlab::GitAccess::ForbiddenError,
+          "You cannot create a tag with a SHA-1 or SHA-256 tag name."
+        )
+      end
+
+      it "forbids '{SHA-1}{+anything}' values" do
+        allow(subject)
+          .to receive(:tag_name)
+          .and_return("267208abfe40e546f5e847444276f7d43a39503e-")
+
+        expect { subject.validate! }.to raise_error(
+          Gitlab::GitAccess::ForbiddenError,
+          "You cannot create a tag with a SHA-1 or SHA-256 tag name."
+        )
+      end
+
+      it "forbids '{SHA-256}{+anything} values" do
+        allow(subject)
+          .to receive(:tag_name)
+          .and_return("09b9fd3ea68e9b95a51b693a29568c898e27d1476bbd83c825664f18467fc175-")
+
+        expect { subject.validate! }.to raise_error(
+          Gitlab::GitAccess::ForbiddenError,
+          "You cannot create a tag with a SHA-1 or SHA-256 tag name."
+        )
+      end
+
+      it "allows SHA-1 values to be appended to the tag name" do
+        allow(subject)
+          .to receive(:tag_name)
+          .and_return("fix-267208abfe40e546f5e847444276f7d43a39503e")
+
+        expect { subject.validate! }.not_to raise_error
+      end
+
+      it "allows SHA-256 values to be appended to the tag name" do
+        allow(subject)
+          .to receive(:tag_name)
+          .and_return("fix-09b9fd3ea68e9b95a51b693a29568c898e27d1476bbd83c825664f18467fc175")
+
+        expect { subject.validate! }.not_to raise_error
+      end
    end

    context 'with protected tag' do