Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • fix/issue-bot-dep-on-dev-and-com
  • 7233-gitlab-ctl-geo-replication-pause-fails-when-postgresql-dir-configured
  • 8890-enable-pg_sequences-ge-probe
  • build-gitaly-before-rails
  • brodock/rename-container-wrapper
  • 8897-add-product-usage-data-setting
  • cb-auto-upgrade-pg-16
  • cb-fips-go-1-23-6
  • ashmckenzie/add-best-practices-section
  • sh-support-postgresql-scram
  • sh-relative-uri-api-fix
  • jliu/gitaly-cgroupsv2
  • 17-7-stable protected
  • 17-8-stable protected
  • 17-9-stable protected
  • gem-check-for-the-win
  • use-ubuntu-24-04-docker
  • 8811-bump-prometheus-3
  • 8928-use-ubuntu-24-04-aws-ami
  • 17.7.6+ee.0 protected
  • 17.7.6+ce.0 protected
  • 17.8.4+ee.0 protected
  • 17.8.4+ce.0 protected
  • 17.9.1+ee.0 protected
  • 17.9.1+ce.0 protected
  • 17.8.3+ee.0 protected
  • 17.8.3+ce.0 protected
  • 17.7.5+ee.0 protected
  • 17.7.5+ce.0 protected
  • 17.9.0+ee.0 protected
  • 17.9.0+ce.0 protected
  • 17.9.0+rc42.ee.0 protected
  • 17.9.0+rc42.ce.0 protected
  • 17.6.5+ee.0 protected
  • 17.6.5+ce.0 protected
  • 17.7.4+ee.0 protected
  • 17.7.4+ce.0 protected
  • 17.8.2+ee.0 protected
  • 17.8.2+ce.0 protected
40 results

security-harness

Blame Permalink
26
security-harness 2.57 KiB 
#!/usr/bin/env ruby

# frozen_string_literal: true

require 'digest'
require 'fileutils'

if ENV['NO_COLOR']
  SHELL_RED    = ''
  SHELL_GREEN  = ''
  SHELL_YELLOW = ''
  SHELL_CLEAR  = ''
else
  SHELL_RED    = "\e[1;31m"
  SHELL_GREEN  = "\e[1;32m"
  SHELL_YELLOW = "\e[1;33m"
  SHELL_CLEAR  = "\e[0m"
end

HOOK_PATH = File.expand_path("../.git/hooks/pre-push", __dir__)
HOOK_DATA = <<~HOOK
  #!/bin/bash

  set -e

  url="$2"
  harness=`dirname "$0"`/../security_harness

  if [ -e "$harness" ]
  then
    if [[ ("$url" != *"dev.gitlab.org"*) && ("$url" != *"gitlab-org/security/"*) ]]
    then
      echo "Pushing to remotes other than dev.gitlab.org and gitlab.com/gitlab-org/security has been disabled!"
      echo "Run scripts/security-harness to disable this check."
      echo

      exit 1
    fi
  fi
HOOK

def write_hook
  FileUtils.mkdir_p(File.dirname(HOOK_PATH))
  File.open(HOOK_PATH, 'w') do |file|
    file.write(HOOK_DATA)
  end
  File.chmod(0755, HOOK_PATH)
end

# Toggle the harness on or off
def toggle
  harness_path = File.expand_path('../.git/security_harness', __dir__)

  if File.exist?(harness_path)
    FileUtils.rm(harness_path)

    puts "#{SHELL_YELLOW}Security harness removed -- you can now push to all remotes.#{SHELL_CLEAR}"
  else
    FileUtils.touch(harness_path)

    puts "#{SHELL_GREEN}Security harness installed -- you will only be able to push to dev.gitlab.org or gitlab.com/gitlab-org/security!#{SHELL_CLEAR}"
  end
end

# If we were to change the script and then check for a pre-existing hook before
# writing, the check would fail even if the user had an unmodified version of
# the old hook. Checking previous version hashes allows us to safely overwrite a
# script that differs from the current version, as long as it's an old one and
# not custom.
def previous_version?(dest_sum)
  # SHA256 hashes of previous iterations of the script contained in `DATA`
  %w[
    010bf0363a911ebab2bd5728d80795ed02388da51815f0b2530d08ae8ac574f0
  ].include?(dest_sum)
end

if !File.exist?(HOOK_PATH)
  write_hook
  toggle
else
  # Deal with a pre-existing hook
  source_sum = Digest::SHA256.hexdigest(HOOK_DATA)
  dest_sum   = Digest::SHA256.file(HOOK_PATH).hexdigest

  if previous_version?(dest_sum)
    # Upgrading from a previous version, update in-place
    write_hook
    toggle
  elsif source_sum != dest_sum
    # Pre-existing hook we didn't create; do nothing
    puts "#{SHELL_RED}#{HOOK_PATH} exists and is different from our hook!"
    puts "Remove it and re-run this script to continue.#{SHELL_CLEAR}"

    exit 1
  else
    # No hook update needed, just toggle
    toggle
  end
end