summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Speicher <rspeicher@gmail.com>2018-02-13 12:43:11 -0600
committerRobert Speicher <rspeicher@gmail.com>2018-02-13 13:09:57 -0600
commitebdebae4ea174228e90e5a4a4251c7e2cfca5608 (patch)
treeadf9787e059aaaddeefc78cc871fd9ca67d2c977
parentdd8f56e86296f8ba6769075ef6bc6e28264706b6 (diff)
downloadgitlab-ce-ebdebae4ea174228e90e5a4a4251c7e2cfca5608.tar.gz
Add a security harness scriptrs-security-harness
This script toggles a Git pre-push hook that will prevent pushing to remotes other than dev when the harness is enabled.
-rwxr-xr-xscripts/security-harness55
1 files changed, 55 insertions, 0 deletions
diff --git a/scripts/security-harness b/scripts/security-harness
new file mode 100755
index 00000000000..d454f44dff7
--- /dev/null
+++ b/scripts/security-harness
@@ -0,0 +1,55 @@
+#!/usr/bin/env ruby
+
+require 'digest'
+require 'fileutils'
+
+harness_path = File.expand_path('../.git/security_harness', __dir__)
+hook_path = File.expand_path("../.git/hooks/pre-push", __dir__)
+
+if File.exist?(hook_path)
+ # Deal with a pre-existing hook
+ source_sum = Digest::SHA256.hexdigest(DATA.read)
+ dest_sum = Digest::SHA256.file(hook_path).hexdigest
+
+ if source_sum != dest_sum
+ puts "#{hook_path} exists and is different from our hook!"
+ puts "Remove it and re-run this script to continue."
+
+ exit 1
+ end
+else
+ File.open(hook_path, 'w') do |file|
+ IO.copy_stream(DATA, file)
+ end
+end
+
+# Toggle the harness on or off
+if File.exist?(harness_path)
+ FileUtils.rm(harness_path)
+
+ puts "Security harness removed -- you can now push to all remotes."
+else
+ FileUtils.touch(harness_path)
+
+ puts "Security harness installed -- you will only be able to push to dev.gitlab.org!"
+end
+
+__END__
+#!/bin/sh
+
+set -e
+
+url="$2"
+harness=`dirname "$0"`/../security_harness
+
+if [ -e "$harness" ]
+then
+ if [[ "$url" != *"dev.gitlab.org"* ]]
+ then
+ echo "Pushing to remotes other than dev.gitlab.org has been disabled!"
+ echo "Run scripts/security-harness to disable this check."
+ echo
+
+ exit 1
+ fi
+fi