Merge branch '217936-validate-the-size-of-the-value-for-instance-level-variables' into 'master'

Validate the size of the value for instance level variables See merge request gitlab-org/gitlab!32303

Merge branch '217936-validate-the-size-of-the-value-for-instance-level-variables' into 'master'
Validate the size of the value for instance level variables See merge request gitlab-org/gitlab!32303
eb014d6b · Grzegorz Bizon · da7c062b · 426ce8e8 · eb014d6b · eb014d6b
Commit eb014d6b authored May 26, 2020 by Grzegorz Bizon
5 changed files
--- a/app/models/ci/instance_variable.rb
+++ b/app/models/ci/instance_variable.rb
@@ -13,6 +13,11 @@ module Ci
      message: "(%{value}) has already been taken"
    }

+    validates :encrypted_value, length: {
+      maximum: 1024,
+      too_long: 'The encrypted value of the provided variable exceeds %{count} bytes. Variables over 700 characters risk exceeding the limit.'
+    }
+
    scope :unprotected, -> { where(protected: false) }

    after_commit { self.class.invalidate_memory_cache(:ci_instance_variable_data) }

--- a/changelogs/unreleased/217936-validate-the-size-of-the-value-for-instance-level-variables.yml
+++ b/changelogs/unreleased/217936-validate-the-size-of-the-value-for-instance-level-variables.yml
+---
+title: Add value length validations for instance level variable
+merge_request: 32303
+author:
+type: fixed
--- a/doc/api/instance_level_ci_variables.md
+++ b/doc/api/instance_level_ci_variables.md
@@ -77,7 +77,7 @@ POST /admin/ci/variables
 | Attribute       | Type    | required | Description           |
 |-----------------|---------|----------|-----------------------|
 | `key`           | string  | yes      | The `key` of a variable. Max 255 characters, only `A-Z`, `a-z`, `0-9`, and `_` are allowed. |
-| `value`         | string  | yes      | The `value` of a variable. |
+| `value`         | string  | yes      | The `value` of a variable. Around 700 characters allowed. |
 | `variable_type` | string  | no       | The type of a variable. Available types are: `env_var` (default) and `file`. |
 | `protected`     | boolean | no       | Whether the variable is protected. |
 | `masked`        | boolean | no       | Whether the variable is masked. |

--- a/spec/models/ci/instance_variable_spec.rb
+++ b/spec/models/ci/instance_variable_spec.rb
@@ -9,6 +9,7 @@ describe Ci::InstanceVariable do

  it { is_expected.to include_module(Ci::Maskable) }
  it { is_expected.to validate_uniqueness_of(:key).with_message(/\(\w+\) has already been taken/) }
+  it { is_expected.to validate_length_of(:encrypted_value).is_at_most(1024).with_message(/Variables over 700 characters risk exceeding the limit/) }

  describe '.unprotected' do
    subject { described_class.unprotected }

--- a/spec/requests/api/admin/ci/variables_spec.rb
+++ b/spec/requests/api/admin/ci/variables_spec.rb
@@ -109,6 +109,22 @@ describe ::API::Admin::Ci::Variables do

        expect(response).to have_gitlab_http_status(:bad_request)
      end
+
+      it 'does not allow values above 700 characters' do
+        too_long_message = <<~MESSAGE.strip
+          The encrypted value of the provided variable exceeds 1024 bytes. \
+          Variables over 700 characters risk exceeding the limit.
+        MESSAGE
+
+        expect do
+          post api('/admin/ci/variables', admin),
+            params: { key: 'too_long', value: SecureRandom.hex(701) }
+        end.not_to change { ::Ci::InstanceVariable.count }
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+        expect(json_response).to match('message' =>
+          a_hash_including('encrypted_value' => [too_long_message]))
+      end
    end

    context 'authorized user with invalid permissions' do