Limit maximum `vulnerabilities_allowed` to not overflow `smallint`
Summary
When a policy defines vulnerabilities_allowed
larger than a value of smallint
, we error on policy sync with out of range for ActiveModel::Type::Integer with limit 2 bytes
.
We should limit this value to a maximum of 32767
- the range of smallint
is from -32768 to +32767.
Steps to reproduce
Create a policy with the following YAML:
type: approval_policy
name: Test
description: ''
enabled: true
rules:
- type: scan_finding
scanners: []
vulnerabilities_allowed: 100000
severity_levels: []
vulnerability_states: []
branch_type: protected
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- developer
approval_settings:
block_branch_modification: true
prevent_pushing_and_force_pushing: true
Example Project
What is the current bug behavior?
We have errors when syncing policies and the approval rules are not applied.
What is the expected correct behavior?
We shouldn't allow such policy to be created.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
There are 2 ways to prevent this:
- Validate
maximum
using the json schema. This is easier but existing policies would disappear from the list and must be fixed directly inpolicy.yml
in the Security Policy Project repository.
diff --git a/ee/app/validators/json_schemas/security_orchestration_policy.json b/ee/app/validators/json_schemas/security_orchestration_policy.json
index 2c20ce3d32fa..5880c18e40f8 100644
--- a/ee/app/validators/json_schemas/security_orchestration_policy.json
+++ b/ee/app/validators/json_schemas/security_orchestration_policy.json
@@ -568,7 +568,8 @@
"vulnerabilities_allowed": {
"description": "Specifies a number of vulnerabilities allowed before this rule is enforced.",
"type": "integer",
- "minimum": 0
+ "minimum": 0,
+ "maximum": 32767
},
"severity_levels": {
"description": "Specifies a list of vulnerability security levels that should be concidered to enforce this policy. Possible values: `info`, `unknown`, `low`, `medium`, `high`, `critical`.",
- Validate in code using
ValidatePolicyService