Commit 426ce8e8 authored by Marius Bobin's avatar Marius Bobin Committed by Grzegorz Bizon

Add value validations for instance variables

Instance level variables have a database constraint for the size
of the encrypted_value at 1024 characters.
parent 1053131f
...@@ -13,6 +13,11 @@ module Ci ...@@ -13,6 +13,11 @@ module Ci
message: "(%{value}) has already been taken" message: "(%{value}) has already been taken"
} }
validates :encrypted_value, length: {
maximum: 1024,
too_long: 'The encrypted value of the provided variable exceeds %{count} bytes. Variables over 700 characters risk exceeding the limit.'
}
scope :unprotected, -> { where(protected: false) } scope :unprotected, -> { where(protected: false) }
after_commit { self.class.invalidate_memory_cache(:ci_instance_variable_data) } after_commit { self.class.invalidate_memory_cache(:ci_instance_variable_data) }
......
---
title: Add value length validations for instance level variable
merge_request: 32303
author:
type: fixed
...@@ -77,7 +77,7 @@ POST /admin/ci/variables ...@@ -77,7 +77,7 @@ POST /admin/ci/variables
| Attribute | Type | required | Description | | Attribute | Type | required | Description |
|-----------------|---------|----------|-----------------------| |-----------------|---------|----------|-----------------------|
| `key` | string | yes | The `key` of a variable. Max 255 characters, only `A-Z`, `a-z`, `0-9`, and `_` are allowed. | | `key` | string | yes | The `key` of a variable. Max 255 characters, only `A-Z`, `a-z`, `0-9`, and `_` are allowed. |
| `value` | string | yes | The `value` of a variable. | | `value` | string | yes | The `value` of a variable. Around 700 characters allowed. |
| `variable_type` | string | no | The type of a variable. Available types are: `env_var` (default) and `file`. | | `variable_type` | string | no | The type of a variable. Available types are: `env_var` (default) and `file`. |
| `protected` | boolean | no | Whether the variable is protected. | | `protected` | boolean | no | Whether the variable is protected. |
| `masked` | boolean | no | Whether the variable is masked. | | `masked` | boolean | no | Whether the variable is masked. |
......
...@@ -9,6 +9,7 @@ describe Ci::InstanceVariable do ...@@ -9,6 +9,7 @@ describe Ci::InstanceVariable do
it { is_expected.to include_module(Ci::Maskable) } it { is_expected.to include_module(Ci::Maskable) }
it { is_expected.to validate_uniqueness_of(:key).with_message(/\(\w+\) has already been taken/) } it { is_expected.to validate_uniqueness_of(:key).with_message(/\(\w+\) has already been taken/) }
it { is_expected.to validate_length_of(:encrypted_value).is_at_most(1024).with_message(/Variables over 700 characters risk exceeding the limit/) }
describe '.unprotected' do describe '.unprotected' do
subject { described_class.unprotected } subject { described_class.unprotected }
......
...@@ -109,6 +109,22 @@ describe ::API::Admin::Ci::Variables do ...@@ -109,6 +109,22 @@ describe ::API::Admin::Ci::Variables do
expect(response).to have_gitlab_http_status(:bad_request) expect(response).to have_gitlab_http_status(:bad_request)
end end
it 'does not allow values above 700 characters' do
too_long_message = <<~MESSAGE.strip
The encrypted value of the provided variable exceeds 1024 bytes. \
Variables over 700 characters risk exceeding the limit.
MESSAGE
expect do
post api('/admin/ci/variables', admin),
params: { key: 'too_long', value: SecureRandom.hex(701) }
end.not_to change { ::Ci::InstanceVariable.count }
expect(response).to have_gitlab_http_status(:bad_request)
expect(json_response).to match('message' =>
a_hash_including('encrypted_value' => [too_long_message]))
end
end end
context 'authorized user with invalid permissions' do context 'authorized user with invalid permissions' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment