Skip to content

Require resource id when using slash commands

Michael Thomas requested to merge require_resource_id_for_slash_commands into master

What does this MR do and why?

This change fixes the following problem in older versions of the VSCOde GitLab extension:

users can use Duo features even for projects that have explicitly disabled it

In the GitLab UI you can also use the /explain Slash command by visiting a file, highlighting some code, and then pressing on the ? icon. Docs here.

When I press the icon in the Web UI, it generates a Duo Chat graphql request where the question is /explain and the resourceId of the current project is passed. So in the Web UI, Duo feature settings are always respected.

The reason the behavior is different in the IDE is that the GraphQL API requests were being sent without any resourceId. So, the GraphQL assumes that the code is not related to a GitLab project and allows the request to go through as long as the user has Duo Chat access.

Editor extensions not sending resourceId has been resolved in the latest VSCode release via this issue.

While this is fixed in the latest editor extension release, we still have the issue of older editor extensions versions allowing Slash commands for all projects because we do not send the project identifier to GraphQL. To "backport" this secure behavior, this issue suggests requiring that the resourceID is present for all GraphQL requests for slash commands.

The only problem with this proposal is that it effectively breaks Slash commands in all older version of our editor extensions. So, the suggestion was to introduce it behind a feature flag and selectively enable this behavior until we are comfortable making the breaking change.

Issue: #463046

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Switch to require_resource_id_for_slash_commands branch.
  2. In graphql explorer verify no error is returned for this request
mutation {
  aiAction(
    input: {chat: {content: "/explain def hello_world"}}
  ) {
    errors
    requestId
    
  }
}
  1. In rails console enable the FF 
    Feature.enable(:require_resource_id)
  2. In graphql explorer verify an error is now returned for this request
mutation {
  aiAction(
    input: {chat: {content: "/explain def hello_world"}}
  ) {
    errors
    requestId
    
  }
}

Error

{
  "data": {
    "aiAction": {
      "errors": [
        "ResourceId is required for slash command request."
      ],
      "requestId": null
    }
  }
}
  1. Create a new project or navigate to an existing one in Gitlab account and grab the project id. This can be found on the project edit page.
  2. In graphql explorer verify an error is not returned for this request
mutation {
  aiAction(
    input: {chat: {resourceId: "gid://gitlab/Project/<project id>", content: "/explain def hello_world"}}
  ) {
    errors
    requestId
    
  }
}
Edited by Jessie Young

Merge request reports