Skip pre-receive SD on deletes

We should skip pre-receive secret detection on delete actions, which is indicated by a blank ref. This can time out for large repos. Changelog: fixed EE: true

Skip pre-receive SD on deletes
be2328e7 · rossfuhrman · GitLab · 84a93caf · be2328e7 · be2328e7
--- a/ee/lib/gitlab/checks/secrets_check.rb
+++ b/ee/lib/gitlab/checks/secrets_check.rb
@@ -43,11 +43,15 @@ def validate!
        #   2. unless we are on GitLab.com or a Dedicated instance
        #   3. unless feature flag is enabled for this project (when instance type is GitLab.com)
        #   4. unless license is ultimate
+        #   5. if it is a delete branch/tag operation, as it would require scanning the entire revision history
+        #   6. if options are passed for us to skip the check

        return unless run_pre_receive_secret_detection?

        return unless project.licensed_feature_available?(:pre_receive_secret_detection)

+        return if includes_full_revision_history?
+
        # Skip if any commit has the special bypass flag `[skip secret detection]`
        if skip_secret_detection_commit_message?
          log_audit_event(_("commit message"))
@@ -104,6 +108,10 @@ def enabled_for_dedicated_project?
          project.security_setting.pre_receive_secret_detection_enabled
      end

+      def includes_full_revision_history?
+        Gitlab::Git.blank_ref?(changes_access.changes.first[:newrev])
+      end
+
      def skip_secret_detection_commit_message?
        changes_access.commits.any? { |commit| commit.safe_message =~ SPECIAL_COMMIT_FLAG }
      end

--- a/ee/spec/lib/gitlab/checks/secrets_check_spec.rb
+++ b/ee/spec/lib/gitlab/checks/secrets_check_spec.rb
@@ -38,6 +38,12 @@
            stub_licensed_features(pre_receive_secret_detection: true)
          end

+          context 'when deleting the branch' do
+            it 'skips the check' do
+              expect(delete_branch.validate!).to be_nil
+            end
+          end
+
          it_behaves_like 'scan passed'
          it_behaves_like 'scan detected secrets'
          it_behaves_like 'scan detected secrets but some errors occured'

--- a/ee/spec/support/shared_contexts/secrets_check_shared_contexts.rb
+++ b/ee/spec/support/shared_contexts/secrets_check_shared_contexts.rb
@@ -39,6 +39,17 @@
    ]
  end

+  # repository.blank_ref is used to denote a delete commit
+  let(:delete_changes) do
+    [
+      {
+        oldrev: initial_commit,
+        newrev: repository.blank_ref,
+        ref: 'refs/heads/master'
+      }
+    ]
+  end
+
  # Set up the `changes_access` object to use below.
  let(:protocol) { 'ssh' }
  let(:timeout) { Gitlab::GitAccess::INTERNAL_TIMEOUT }
@@ -57,6 +68,17 @@
    )
  end

+  let(:delete_changes_access) do
+    Gitlab::Checks::ChangesAccess.new(
+      delete_changes,
+      project: project,
+      user_access: user_access,
+      protocol: protocol,
+      logger: logger,
+      push_options: push_options
+    )
+  end
+
  # We cannot really get the same Gitlab::Git::Blob objects even if we call `list_all_blobs` or `list_blobs`
  # directly in any of the specs (which is also not a very good idea) as the object ids will always
  # be different, so we expect the attributes of the returned object to match.
@@ -99,6 +121,8 @@
  end

  subject(:secrets_check) { described_class.new(changes_access) }
+
+  let(:delete_branch) { described_class.new(delete_changes_access) }
 end

 RSpec.shared_context 'secret detection error and log messages context' do