Skip to content

Do not parse git-notes commits during git access checks

Joe Woodward requested to merge fix/push_rule_commit_message_validation into master

What does this MR do and why?

Fixes #207807 (closed) and #209901 (closed)

git-notes are stored as blobs but a history of the note changes is also recorded in refs/notes/commits (can be configured but will always begin with refs/notes). When a user pushes the notes refs with git push origin refs/notes/commits the Gitlab::GitAccess module performs some checks, as the notes are also stored as commits the backend would find these commits and apply the normal rules against them.

We shouldn't apply push rules against these commits as they are generated by git. e.g.

  • Notes added by 'git notes add'
  • Notes removed by 'git notes remove'

This change will prevent changes that are not for refs/heads or refs/tags from being processed as commits.

How to set up and validate locally

  1. In GDK create a push rule for any project with Reject expression in commit messages set to ^Notes
  2. Clone the repo locally from your GDK
  3. Add a note with git notes add -m 'test note'
  4. On GDK's master branch attempt to push the notes with git push gdk_remote refs/notes/commits, the response should show GitLab: Commit message contains the forbidden pattern '^Notes'
  5. Now switch to GDK's fix/push_rule_commit_message_validation branch and push again. This time the push should succeed

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Joe Woodward

Merge request reports

Loading