Use ref instead of sha for CI config variables

A SHA cannot be used as a ref for this purpose. The ref is meant to be a branch name or a tag name, and it is used to decide if the branch or tag is protected. Passing a sha results in the ref getting treated as unprotected, unless the sha happens to match a protected branch or tag (which is a security issue). See https://gitlab.com/gitlab-org/gitlab/-/issues/337344

Use ref instead of sha for CI config variables
A SHA cannot be used as a ref for this purpose. The ref is meant to be a branch name or a tag name, and it is used to decide if the branch or tag is protected. Passing a sha results in the ref getting treated as unprotected, unless the sha happens to match a protected branch or tag (which is a security issue). See https://gitlab.com/gitlab-org/gitlab/-/issues/337344
cbeb4116 · Hordur Freyr Yngvason · Matthias Käppler · 05476fef · cbeb4116 · cbeb4116
Commit cbeb4116 authored Aug 02, 2021 by Hordur Freyr Yngvason Committed by Matthias Käppler Aug 02, 2021
3 changed files
--- a/lib/gitlab/ci/config.rb
+++ b/lib/gitlab/ci/config.rb
@@ -20,7 +20,7 @@ module Gitlab
      attr_reader :root, :context, :ref, :source

      def initialize(config, project: nil, sha: nil, user: nil, parent_pipeline: nil, ref: nil, source: nil)
-        @context = build_context(project: project, sha: sha, user: user, parent_pipeline: parent_pipeline)
+        @context = build_context(project: project, sha: sha, user: user, parent_pipeline: parent_pipeline, ref: ref)
        @context.set_deadline(TIMEOUT_SECONDS)

        @ref = ref
@@ -108,13 +108,13 @@ module Gitlab
        end
      end

-      def build_context(project:, sha:, user:, parent_pipeline:)
+      def build_context(project:, sha:, user:, parent_pipeline:, ref:)
        Config::External::Context.new(
          project: project,
          sha: sha || find_sha(project),
          user: user,
          parent_pipeline: parent_pipeline,
-          variables: build_variables(project: project, ref: sha))
+          variables: build_variables(project: project, ref: ref))
      end

      def build_variables(project:, ref:)

--- a/spec/lib/gitlab/ci/pipeline/chain/populate_spec.rb
+++ b/spec/lib/gitlab/ci/pipeline/chain/populate_spec.rb
@@ -107,7 +107,6 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Populate do
    context 'when ref is protected' do
      before do
        allow(project).to receive(:protected_for?).with('master').and_return(true)
-        allow(project).to receive(:protected_for?).with('b83d6e391c22777fca1ed3012fce84f633d7fed0').and_return(true)
        allow(project).to receive(:protected_for?).with('refs/heads/master').and_return(true)

        dependencies.map(&:perform!)

--- a/spec/services/ci/create_pipeline_service_spec.rb
+++ b/spec/services/ci/create_pipeline_service_spec.rb
@@ -1328,7 +1328,7 @@ RSpec.describe Ci::CreatePipelineService do
            end

            context 'when ref is tag' do
-              let(:ref_name) { 'refs/tags/v1.1.0' }
+              let(:ref_name) { 'refs/tags/v1.0.0' }

              it 'does not create an extrnal pull request pipeline', :aggregate_failures do
                expect(response).to be_error
@@ -1516,7 +1516,7 @@ RSpec.describe Ci::CreatePipelineService do
            end

            context 'when ref is tag' do
-              let(:ref_name) { 'refs/tags/v1.1.0' }
+              let(:ref_name) { 'refs/tags/v1.0.0' }

              it 'does not create a merge request pipeline', :aggregate_failures do
                expect(response).to be_error