Add Git hook to validate maximum file size.

CHANGELOG-EE

@@ -2,6 +2,7 @@ v 7.12 (Unreleased)
   - Fix error when viewing merge request with a commit that includes "Closes #<issue id>".
   - Enhance LDAP group synchronization to check also for member attributes that only contain "uid=<username>"
   - Enhance LDAP group synchronization to check also for submember attributes
+  - Add Git hook to validate maximum file size.
 v 7.11.4
   - no changes specific to EE

app/controllers/admin/git_hooks_controller.rb

@@ -20,7 +20,7 @@ class Admin::GitHooksController < Admin::ApplicationController
   def git_hook_params
     params.require(:git_hook).permit(:deny_delete_tag, :delete_branch_regex,
-      :commit_message_regex, :force_push_regex, :author_email_regex, :member_check, :file_name_regex)
+      :commit_message_regex, :force_push_regex, :author_email_regex, :member_check, :file_name_regex, :max_file_size)
   end
   def git_hook

app/controllers/projects/git_hooks_controller.rb

@@ -28,6 +28,6 @@ class Projects::GitHooksController < Projects::ApplicationController
   # Only allow a trusted parameter "white list" through.
   def git_hook_params
     params.require(:git_hook).permit(:deny_delete_tag, :delete_branch_regex,
-      :commit_message_regex, :force_push_regex, :author_email_regex, :member_check, :file_name_regex)
+      :commit_message_regex, :force_push_regex, :author_email_regex, :member_check, :file_name_regex, :max_file_size)
   end
 end

app/models/git_hook.rb

@@ -16,6 +16,10 @@ class GitHook < ActiveRecord::Base
   end
   def commit_validation?
-    commit_message_regex.present? || author_email_regex.present? || member_check || file_name_regex.present?
+    commit_message_regex.present? || 
+      author_email_regex.present? || 
+      member_check || 
+      file_name_regex.present? || 
+      max_file_size > 0
   end
 end

app/views/admin/application_settings/_form.html.haml

@@ -82,7 +82,7 @@
     .form-group
       = f.label :max_attachment_size, 'Maximum attachment size (MB)', class: 'control-label col-sm-2'
       .col-sm-10
-        = f.number_field :max_attachment_size, class: 'form-control'
+        = f.number_field :max_attachment_size, class: 'form-control', min: 0
     .form-group
       = f.label :restricted_signup_domains, 'Restricted domains for sign-ups', class: 'control-label col-sm-2'
       .col-sm-10

app/views/layouts/nav/_admin.html.haml

@@ -40,8 +40,8 @@
       %span
         Hooks
   = nav_link(controller: :git_hooks) do
-    = link_to admin_git_hooks_path, title: 'Git Hooks' do
-      %i.fa.fa-git-square
+    = link_to admin_git_hooks_path, title: 'Git Hooks', data: {placement: 'right'} do
+      = icon('git-square fw')
       %span
         Git Hooks
   = nav_link(controller: :background_jobs) do

app/views/shared/_git_hooks_form.html.haml

@@ -48,5 +48,13 @@
       to be pushed.
       If this field is empty it allows any filenames.
+.form-group
+  = f.label :max_file_size, "Maximum file size (MB)", class: 'control-label'
+  .col-sm-10
+    = f.number_field :max_file_size, class: "form-control", min: 0
+    .help-block
+      Pushes that contain added or updated files that exceed this file size are rejected.
+      Set to 0 to allow files of any size.
+
 .form-actions
-  = f.submit "Save Git hooks", class: "btn btn-create"
\ No newline at end of file
+  = f.submit "Save Git hooks", class: "btn btn-create"

db/migrate/20150605131047_add_max_file_size_to_git_hooks.rb

+class AddMaxFileSizeToGitHooks < ActiveRecord::Migration
+  def change
+    add_column :git_hooks, :max_file_size, :integer, default: 0
+  end
+end

db/schema.rb

@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
-ActiveRecord::Schema.define(version: 20150509180749) do
+ActiveRecord::Schema.define(version: 20150605131047) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -40,11 +40,13 @@ ActiveRecord::Schema.define(version: 20150509180749) do
     t.boolean  "twitter_sharing_enabled",      default: true
     t.text     "help_text"
     t.text     "restricted_visibility_levels"
-    t.boolean  "version_check_enabled",        default: true
     t.integer  "max_attachment_size",          default: 10,   null: false
     t.integer  "default_project_visibility"
+    t.boolean  "version_check_enabled",        default: true
     t.integer  "default_snippet_visibility"
     t.text     "restricted_signup_domains"
+    t.boolean  "user_oauth_applications",      default: true
+    t.string   "after_sign_out_path"
   end
   create_table "audit_events", force: true do |t|
@@ -131,6 +133,7 @@ ActiveRecord::Schema.define(version: 20150509180749) do
     t.boolean  "member_check",         default: false, null: false
     t.string   "file_name_regex"
     t.boolean  "is_sample",            default: false
+    t.integer  "max_file_size",        default: 0
   end
   create_table "historical_data", force: true do |t|
@@ -317,7 +320,7 @@ ActiveRecord::Schema.define(version: 20150509180749) do
   end
   add_index "namespaces", ["created_at", "id"], name: "index_namespaces_on_created_at_and_id", using: :btree
-  add_index "namespaces", ["name"], name: "index_namespaces_on_name", unique: true, using: :btree
+  add_index "namespaces", ["name"], name: "index_namespaces_on_name", using: :btree
   add_index "namespaces", ["owner_id"], name: "index_namespaces_on_owner_id", using: :btree
   add_index "namespaces", ["path"], name: "index_namespaces_on_path", unique: true, using: :btree
   add_index "namespaces", ["type"], name: "index_namespaces_on_type", using: :btree
@@ -425,11 +428,11 @@ ActiveRecord::Schema.define(version: 20150509180749) do
     t.string   "avatar"
     t.string   "import_status"
     t.float    "repository_size",               default: 0.0
-    t.text     "merge_requests_template"
     t.integer  "star_count",                    default: 0,        null: false
-    t.boolean  "merge_requests_rebase_enabled", default: false
     t.string   "import_type"
     t.string   "import_source"
+    t.text     "merge_requests_template"
+    t.boolean  "merge_requests_rebase_enabled", default: false
     t.boolean  "merge_requests_rebase_default", default: true
   end
@@ -519,6 +522,12 @@ ActiveRecord::Schema.define(version: 20150509180749) do
   add_index "tags", ["name"], name: "index_tags_on_name", unique: true, using: :btree
+  create_table "test", id: false, force: true do |t|
+    t.integer "col"
+  end
+
+  add_index "test", ["col"], name: "index_name", unique: true, using: :btree
+
   create_table "users", force: true do |t|
     t.string   "email",                         default: "",    null: false
     t.string   "encrypted_password",            default: "",    null: false
@@ -559,7 +568,6 @@ ActiveRecord::Schema.define(version: 20150509180749) do
     t.string   "unconfirmed_email"
     t.boolean  "hide_no_ssh_key",               default: false
     t.string   "website_url",                   default: "",    null: false
-    t.datetime "admin_email_unsubscribed_at"
     t.string   "github_access_token"
     t.string   "gitlab_access_token"
     t.string   "notification_email"
@@ -567,13 +575,14 @@ ActiveRecord::Schema.define(version: 20150509180749) do
     t.boolean  "password_automatically_set",    default: false
     t.string   "bitbucket_access_token"
     t.string   "bitbucket_access_token_secret"
+    t.datetime "admin_email_unsubscribed_at"
     t.string   "location"
+    t.string   "public_email",                  default: "",    null: false
     t.string   "encrypted_otp_secret"
     t.string   "encrypted_otp_secret_iv"
     t.string   "encrypted_otp_secret_salt"
     t.boolean  "otp_required_for_login"
     t.text     "otp_backup_codes"
-    t.string   "public_email",                  default: "",    null: false
   end
   add_index "users", ["admin"], name: "index_users_on_admin", using: :btree
@@ -609,6 +618,7 @@ ActiveRecord::Schema.define(version: 20150509180749) do
     t.boolean  "merge_requests_events", default: false,         null: false
     t.boolean  "tag_push_events",       default: false
     t.integer  "group_id"
+    t.boolean  "note_events",           default: false,         null: false
   end
   add_index "web_hooks", ["created_at", "id"], name: "index_web_hooks_on_created_at_and_id", using: :btree

lib/gitlab/git_access.rb

@@ -226,6 +226,17 @@ module Gitlab
                 end
               end
             end
+
+            if git_hook.max_file_size > 0
+              commit.diffs.each do |diff|
+                next if diff.deleted_file
+
+                blob = project.repository.blob_at(commit.id, diff.new_path)
+                if blob.size > git_hook.max_file_size.megabytes
+                  return build_status_object(false, "File #{diff.new_path.inspect} is larger than the allowed size of #{git_hook.max_file_size} MB")
+                end
+              end
+            end
           end
         end
       end

spec/lib/gitlab/git_access_spec.rb

@@ -294,5 +294,23 @@ describe Gitlab::GitAccess do
         access.git_hook_check(user, project, 'refs/heads/master', '913c66a37', '33f3729a4').allowed?.should be_truthy
       end
     end
+
+    describe "max file size check" do
+      before do
+        allow_any_instance_of(Gitlab::Git::Blob).to receive(:size).and_return(1.5.megabytes.to_i)
+      end
+      
+      it "returns false when size is too large" do
+        project.create_git_hook
+        project.git_hook.update(max_file_size: 1)
+        access.git_hook_check(user, project, 'refs/heads/master', 'cfe32cf6', '913c66a37').allowed?.should be_falsey
+      end
+
+      it "returns true when size is allowed" do
+        project.create_git_hook
+        project.git_hook.update(max_file_size: 2)
+        access.git_hook_check(user, project, 'refs/heads/master', 'cfe32cf6', '913c66a37').allowed?.should be_truthy
+      end
+    end
   end
 end