Create custom validator for sha params in the API
Problem to solve
In the past, we have had problems with invalid SHA. Gitaly has added this kind of validation in several RPC raising the error invalid CommitSha
.
At the moment, in the API we don't perform any validation on this kind of param.
Further details
If we stop the request when the SHA is invalid, we can avoid some RPCs and unnecessary work from the platform.
Proposal
The idea is to create a Grape::Validations
object (lib/api/helpers/custom_validators.rb
) that checks if the SHA. In some places, we use \A[0-9a-f]{40}\z
and /\A\h{40}\z/
to check the format.
Nevertheless, perhaps we have to allow short SHA formats (/\A\h{5,40}\z/
), but this is something we have to investigate.
Then we have to review the different endpoints (for example searching for :sha,
or :ref,
in some endpoints) and add this validator.
What does success look like, and how can we measure that?
Endpoints that accept the SHA of a repository as a param should raise an error when it is invalid.