Prevent deploy keys from pushing code to an archived project

Merge branch 'security-prevent-deploy-key-pushing-to-archived-project-17-4' into '17-4-stable-ee' See merge request gitlab-org/security/gitlab!4486 Changelog: security

Prevent deploy keys from pushing code to an archived project
ed7a5173 · Tiger Watson · GitLab Release Tools Bot · 6bce855e · ed7a5173 · ed7a5173
Commit ed7a5173 authored 4 months ago by Tiger Watson Committed by GitLab Release Tools Bot 4 months ago
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -29,6 +29,7 @@ class GitAccess
      upload_pack_disabled_over_http: 'Pulling over HTTP is not allowed.',
      receive_pack_disabled_over_http: 'Pushing over HTTP is not allowed.',
      read_only: 'The repository is temporarily read-only. Please try again later.',
+      archived: "You can't push code to an archived project.",
      cannot_push_to_read_only: "You can't push code to a read-only GitLab instance.",
      push_code: 'You are not allowed to push code to this project.'
    }.freeze
@@ -341,6 +342,10 @@ def check_push_access!
        raise ForbiddenError, error_message(:read_only)
      end
  
+      if project&.archived?
+        raise ForbiddenError, error_message(:archived)
+      end
+
      if deploy_key?
        unless deploy_key.can_push_to?(project)
          raise ForbiddenError, error_message(:deploy_key_upload)

--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -1127,6 +1127,16 @@ def self.run_permission_checks(permissions_matrix)
    end
  end
  
+  context 'when the project is archived' do
+    let(:project) { create(:project, :repository, :archived) }
+
+    it 'denies push access' do
+      project.add_maintainer(user)
+
+      expect { push_access_check }.to raise_forbidden(described_class::ERROR_MESSAGES[:archived])
+    end
+  end
+
  describe 'deploy key permissions' do
    let(:key) { create(:deploy_key, user: user) }
    let(:actor) { key }
@@ -1138,6 +1148,14 @@ def self.run_permission_checks(permissions_matrix)
        end
  
        it { expect { push_access_check }.not_to raise_error }
+
+        context 'when project is archived' do
+          before do
+            project.update!(archived: true)
+          end
+
+          it { expect { push_access_check }.to raise_forbidden(described_class::ERROR_MESSAGES[:archived]) }
+        end
      end
  
      context 'when unauthorized' do