EventStore: Disallow passing data without schema definition (!141635) · Merge requests · GitLab.org / GitLab

Peter Leitzen requested to merge pl-event-store-additional-properties into pl-event-store-json-schema Jan 11, 2024

What does this MR do and why?

Before this change, passing arbitrary data to events did not raise an error. This can lead to passing data unintentionally and thus creating schema dependencies which are not covered by schema definitions.

This commit disallows the use of optional properties with explicit schema definition.

If events really need to allow passing arbitrary data, they must define additionalProperties: true in their schema.

Closes #433122 (closed).

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

In Rails console:

# Before on `master`
> Projects::ProjectDeletedEvent.new(data: { project_id: 23, namespace_id: 42, any_data: 'backdoored' })
=> #<Projects::ProjectDeletedEvent:0x00007f30f96c4388 @data={:project_id=>23, :namespace_id=>42, :any_data=>"backdoored"}>

# After
> Projects::ProjectDeletedEvent.new(data: { project_id: 23, namespace_id: 42, any_data: 'backdoored' })
Gitlab::EventStore::InvalidEvent: Data for event Projects::ProjectDeletedEvent does not match the defined schema: ["property '/any_data' is invalid: error_type=schema"]
from /home/peter/devel/gitlab/gdk/gitlab/lib/gitlab/event_store/event.rb:78:in `validate_data!'

Edited Jan 11, 2024 by Peter Leitzen

EventStore: Disallow passing data without schema definition

What does this MR do and why?

MR acceptance checklist

How to set up and validate locally

Merge request reports