Validate existence of SHAs in diff refs
Background
This is a follow-up to #36493 (closed) / https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/145#note_279033460.
The original issue was that storing a null base_sha
in a note on designs makes the design unavailable due to a JS error on the frontend when loading the notes:
-
https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/145 fixes the backend to not return an error for null
base_sha
values. - !23491 (merged) fixes the frontend error handling.
Proposal
It's still possible to send invalid SHA values for base_sha
/ start_sha
/ head_sha
, so we should always validate these by checking if they actually exist in the repository.
Involved components
app/models/concerns/diff_positionable_note.rb
lib/gitlab/diff/diff_refs.rb