Check that the head sha matches the head diff sha
What does this MR do and why?
This MR fixes a race condition in the merge request conflict checking logic that could allow unauthorized merges. The issue occurs when the source branch SHA doesn't match the diff head SHA, indicating that the merge request data is stale or being recalculated.
The Problem: The CheckConflictStatusService was only checking if a merge request can_be_merged? without first verifying that the source branch SHA matches the diff head SHA. This creates a window where:
- A user without merge permissions could see a "Merge" button briefly
- If they click it during this window, the merge could succeed before proper conflict checks complete
- This is a security issue that allows unauthorized merges
The Solution: The fix adds an explicit check at the beginning of the conflict status check:
- If
source_branch_sha != diff_head_sha, returnCHECKING_STATUSimmediately - This ensures the merge request data is fresh before proceeding with other checks
- Only after confirming the SHAs match do we check the actual merge status
The change includes:
- Updated service logic with the new SHA comparison check
- Expanded test coverage with a new context for when SHAs don't match
- Proper handling of the checking state during data synchronization
References
Fixes #429516 - Auto Merge button load time temporarily allows unauthorised immediate merge
How to set up and validate locally
- Create a merge request where the source branch has been updated
- Verify that during the initial conflict check, the service returns
CHECKING_STATUSwhen SHAs don't match - Confirm that once SHAs are synchronized, the normal merge status checks proceed
- Run the test suite to ensure all conflict checking scenarios are covered
Edited by Marc Shaw