Potential security problem when reusing generated diff fiiles from Merge Requiests in real projects pipelines
Gitlab provides links to diff files for each Merge Request, like https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/18171.diff
And many projects use these links to apply such patches to their code in pipelines. For example, in Drupal Community we use such links to get the diffs, an example is on page https://www.drupal.org/project/drupal/issues/3300426 (a plain diff
link).
But this approach makes a potential security problem, because the link to the diff file doesn't contain any reference to MR version like ?version=16
, so by this URL pipelines will download always the latest versions of this MR.
And any user, that has a write access to the source branch (not the target branch), can add any code (including harm code) to it, that will be taken by pipelines and deployed on production.
The main problem is related to those developers, who don't think about the described security problem, but because GitLab doesn't provide any other ways to get the static link to diff of exact MR versions, they decide to use what they have.
So, to fix this security problem, please implement any ways to get links to the exact version of diffs, something like this:
https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/18171.diff?version=16
https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/18171.diff?diff_id=24129347
Moreover, GitLab already uses such links in the UI version of MR, here is the example:
https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/18171/diffs?diff_id=24129347
So seems we just need to extend this functionality to apply to the diff file generation function too. Is it hard to implement?