Merge Requests in Busy Repositories Can Create Race Conditions and Allow CODEOWNERS Checks to be Bypassed
Summary
Creating a merge request on a busy repository can sometimes take a few seconds to complete all the CODEOWNERS checks. Because all the functionality of the merge request is available while the checks are running, it is possible to exploit the delay to bypass the CODEOWNERS check.
Steps to reproduce
- You'll need a monorepo with a large amount of activity, where creating a merge request can take several seconds.
- Set up CODEOWNERS to have a sample file owned by somebody else in the project.
- Ensure that CODEOWNERS approvals are required.
- Create a sample change to an owned file on a branch other than master.
- Open a second tab showing the list of merge requests outstanding for approval
- Create the merge request, then switch over to the second tab and refresh until it appears.
- If the conditions are correct, you'll be able to approve the request before the CODENWERS check has been completed.
- The end result is a merged merge request with 0/1 CODEOWNERS approvals.
What is the current bug behavior?
People are able to bypass the CODENWERS check to merge changes to owned files without the approval of the code owners.
What is the expected correct behavior?
Merge requests should not have functionalities enabled until certain checks have been completed, CODEOWNERS is one of them. I would expect to see the 'Merge' button disabled, with some form of indication that the MR is still being processed or created. Once everything has been assessed, we should then be able to proceed with actions.
Relevant logs and/or screenshots
The author of the merge is not an owner, but is still able to merge without their approval under the circumstances described above.