Skip to content

Add argument to GQL Query.ciConfig to skip sha verification

Leaminn Ma requested to merge gql-ciconfig-add-verify-sha-arg into master

What does this MR do and why?

In https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3540, we introduced a project sha verification process to fix a security vulnerability (#417275 (closed)). It effectively prevents YamlProcessor from running on commit shas that are not associated with a project Tag or Branch (detached commits). The process was applied to the Ci::Lint class which affects the Query.ciConfig endpoint.

In https://gitlab.com/gitlab-com/ops-sub-department/section-ops-request-for-help/-/issues/215#note_1597562585, we learned that there is a customer use case to use Query.ciConfig with detached commits.

This MR introduces the argument skip_verify_project_sha to Query.ciConfig, which gives the user the choice to opt out of the sha verification process.

We discussed that adding this argument does not re-introduce the security vulnerability from #417275 (closed) as it does not affect how GitLab UI processes detached shas.

How to reproduce locally

  1. In your project, create a commit on a new branch and open a merge request to main.

  2. Leave the MR open and unmerged. Copy the merge request commit sha (there's probably a better way to obtain it, but I usually just view a file under the Changes tab and get the sha from the URL). Go to http://gdk.test:3000/-/graphql-explorer. Test the following query:

query getCiConfigData($projectPath: ID!, $sha: String, $content: String!) {
  ciConfig(projectPath: $projectPath, sha: $sha, content: $content) {
    errors
    mergedYaml
    status
  }
}

Variables:

{ "projectPath": "<YOUR_PROJECT_PATH>", "sha": "<MERGE_REQUEST_SHA>", "content": "---\n:build:\n  :script: echo\n" }
  1. Observe that the output shows a validation error.

Screenshot_2023-10-12_at_9.10.53_AM

How to set up and validate locally

  1. Checkout this branch and follow steps 1-3 in the previous section.
  2. Re-execute the query with the new skip_verify_project_sha argument set to true:
query getCiConfigData($projectPath: ID!, $sha: String, $content: String!) {
  ciConfig(projectPath: $projectPath, sha: $sha, content: $content, skipVerifyProjectSha: true) {
    errors
    mergedYaml
    status
  }
}
  1. Observe that the validation error does not appear and the data is returned as expected.

Screenshot_2023-10-12_at_9.15.20_AM

  1. (Optional) You can verify that this change does not affect the fix for the original security vulnerability by following the steps in https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3540#how-to-reproduce-the-issue-locally.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Leaminn Ma

Merge request reports