From ebdebae4ea174228e90e5a4a4251c7e2cfca5608 Mon Sep 17 00:00:00 2001 From: Robert Speicher Date: Tue, 13 Feb 2018 12:43:11 -0600 Subject: Add a security harness script This script toggles a Git pre-push hook that will prevent pushing to remotes other than dev when the harness is enabled. --- scripts/security-harness | 55 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100755 scripts/security-harness (limited to 'scripts') diff --git a/scripts/security-harness b/scripts/security-harness new file mode 100755 index 00000000000..d454f44dff7 --- /dev/null +++ b/scripts/security-harness @@ -0,0 +1,55 @@ +#!/usr/bin/env ruby + +require 'digest' +require 'fileutils' + +harness_path = File.expand_path('../.git/security_harness', __dir__) +hook_path = File.expand_path("../.git/hooks/pre-push", __dir__) + +if File.exist?(hook_path) + # Deal with a pre-existing hook + source_sum = Digest::SHA256.hexdigest(DATA.read) + dest_sum = Digest::SHA256.file(hook_path).hexdigest + + if source_sum != dest_sum + puts "#{hook_path} exists and is different from our hook!" + puts "Remove it and re-run this script to continue." + + exit 1 + end +else + File.open(hook_path, 'w') do |file| + IO.copy_stream(DATA, file) + end +end + +# Toggle the harness on or off +if File.exist?(harness_path) + FileUtils.rm(harness_path) + + puts "Security harness removed -- you can now push to all remotes." +else + FileUtils.touch(harness_path) + + puts "Security harness installed -- you will only be able to push to dev.gitlab.org!" +end + +__END__ +#!/bin/sh + +set -e + +url="$2" +harness=`dirname "$0"`/../security_harness + +if [ -e "$harness" ] +then + if [[ "$url" != *"dev.gitlab.org"* ]] + then + echo "Pushing to remotes other than dev.gitlab.org has been disabled!" + echo "Run scripts/security-harness to disable this check." + echo + + exit 1 + fi +fi -- cgit v1.2.1 From e4990b66df64f2e23502d161f411335c9a771a43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9my=20Coutable?= Date: Fri, 26 Jan 2018 15:23:46 +0100 Subject: Combine all rake tasks in the static-analysis job MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Rémy Coutable --- scripts/static-analysis | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'scripts') diff --git a/scripts/static-analysis b/scripts/static-analysis index bdb88f3cb57..db4df4ee6cb 100755 --- a/scripts/static-analysis +++ b/scripts/static-analysis @@ -26,15 +26,10 @@ def emit_errors(static_analysis) end tasks = [ - %w[bundle exec rake config_lint], - %w[bundle exec rake flay], - %w[bundle exec rake haml_lint], - %w[bundle exec rake scss_lint], + %w[bin/rake lint:all], %w[bundle exec license_finder], %w[yarn run eslint], %w[bundle exec rubocop --parallel], - %w[bundle exec rake gettext:lint], - %w[bundle exec rake lint:static_verification], %w[scripts/lint-conflicts.sh], %w[scripts/lint-rugged] ] -- cgit v1.2.1 From 2f0d2ab55b6deac79f81834f6724a676ceae94ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9my=20Coutable?= Date: Mon, 12 Feb 2018 18:34:07 +0100 Subject: Run lint:all tasks in forks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Rémy Coutable --- scripts/static-analysis | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'scripts') diff --git a/scripts/static-analysis b/scripts/static-analysis index db4df4ee6cb..0e67eabfec1 100755 --- a/scripts/static-analysis +++ b/scripts/static-analysis @@ -7,7 +7,7 @@ require_relative '../lib/gitlab/popen/runner' def emit_warnings(static_analysis) static_analysis.warned_results.each do |result| puts - puts "**** #{result.cmd.join(' ')} had the following warnings:" + puts "**** #{result.cmd.join(' ')} had the following warning(s):" puts puts result.stderr puts @@ -17,7 +17,7 @@ end def emit_errors(static_analysis) static_analysis.failed_results.each do |result| puts - puts "**** #{result.cmd.join(' ')} failed with the following error:" + puts "**** #{result.cmd.join(' ')} failed with the following error(s):" puts puts result.stdout puts result.stderr -- cgit v1.2.1