Backend: E2E tests for CI Lint sha verification
From #428338 (closed), we need to add an E2E test to ensure that a project's CI config can't be accessed with an invalid sha.
The test should execute these steps:
- Create a project with a CI config (
basic
). - Fork
basic
and you'll havebasic-forked
. - In
basic-forked
, change the CI config in a new branch (attack
). - Go to
basic
and create an MR with theattack
branch ofbasic-forked
. - Now, you have the
basic-forked
's branchsha
available inbasic
; - Now, visit these pages with the
attack
sha;
Extra notes
The attack isn't about seeing the file. It's about triggering CI Lint or ListConfigVariablesService
by visiting these 3 pages. An attacker or the project maintainer can visit these pages;
http://gdk.test:3000/root/basic/-/pipelines/new?ref=b5652866561b831751ba3a200f45d355b01968fb
http://gdk.test:3000/root/basic/-/blob/b5652866561b831751ba3a200f45d355b01968fb/.gitlab-ci.yml
http://gdk.test:3000/root/basic/-/ci/editor?branch_name=b5652866561b831751ba3a200f45d355b01968fb
And, the CI Lint requests or ListConfigVariablesService
requests should not be successful for commit sha
s that do not belong to any branch or tag in the current project.
Edited by Avielle Wolfe