GRPC::InvalidArgument: request contains no file pairs to diff in secret push protection

Summary

A GRPC::InvalidArgument exception is occurring during secret push protection validation when attempting to diff blobs.

Error Message

GRPC::InvalidArgument: 3:request contains no file pairs to diff.

Stack Trace

GRPC::InvalidArgument: 3:request contains no file pairs to diff.
  from grpc/generic/active_call.rb:29:in `check_status'
  from grpc/generic/active_call.rb:189:in `attach_status_results_and_complete_call'
  from grpc/generic/active_call.rb:174:in `receive_and_check_status'
  from grpc/generic/active_call.rb:344:in `each_remote_read_then_finish'
  from config/initializers/enumerator_next_patch.rb:11:in `block (2 levels) in <module:EnumeratorNextPatch>'
  from lib/gitlab/gitaly_client/call.rb:46:in `block (3 levels) in instrument_stream'
  from lib/gitlab/gitaly_client/call.rb:61:in `recording_request'
  from lib/gitlab/gitaly_client/call.rb:46:in `block (2 levels) in instrument_stream'
  from lib/gitlab/gitaly_client/call.rb:45:in `loop'
  from lib/gitlab/gitaly_client/call.rb:45:in `block in instrument_stream'
  from lib/gitlab/gitaly_client/diff_blobs_stitcher.rb:15:in `each'
  from lib/gitlab/gitaly_client/diff_blobs_stitcher.rb:15:in `each'
  from lib/gitlab/gitaly_client/diff_blobs_stitcher.rb:15:in `each'
  from gitlab/checks/secret_push_protection/payload_processor.rb:192:in `to_a'
  from gitlab/checks/secret_push_protection/payload_processor.rb:192:in `diff_blobs'
  from gitlab/checks/secret_push_protection/payload_processor.rb:278:in `block in get_diffs'
  from gitlab/checks/secret_push_protection/payload_processor.rb:274:in `each'
  from gitlab/checks/secret_push_protection/payload_processor.rb:274:in `each_slice'
  from gitlab/checks/secret_push_protection/payload_processor.rb:274:in `get_diffs'
  from gitlab/checks/secret_push_protection/payload_processor.rb:32:in `standardize_payloads'
  from gitlab/checks/secret_push_protection/secrets_check.rb:80:in `block in run_validation!'
  from lib/gitlab/checks/timed_logger.rb:27:in `log_timed'
  from gitlab/checks/secret_push_protection/secrets_check.rb:79:in `run_validation!'
  from gitlab/checks/secret_push_protection/secrets_check.rb:21:in `validate!'
  from ee/gitlab/checks/changes_access.rb:15:in `bulk_access_checks!'
  from lib/gitlab/checks/changes_access.rb:30:in `block in validate!'

Analysis

The error originates from the secret push protection feature when processing payloads. The issue occurs in payload_processor.rb at line 192 when calling diff_blobs, which eventually makes a Gitaly RPC call that fails because no file pairs are provided for diffing.

Affected Components

• Secret Push Protection (gitlab/checks/secret_push_protection/)
• Gitaly Client (lib/gitlab/gitaly_client/)
• Changes Access validation

Potential Causes

• Empty or invalid blob pairs being passed to the diff operation
• Edge case in get_diffs method when slicing payloads
• Missing validation before making the Gitaly RPC call