Improve GitLab projects name verification #16262
Conversation
|
Thanks @DarkaMaul! I want to pare this back a bit to avoid depending on assumptions internal to GitLab's code, but the consecutive character check makes a lot of sense to me to add. |
|
Is this ready for review? |
|
I think we are still unsure if we want to introduce a dependency on Gitlab internal code (for the list of forbidden project names). I can refactor the PR to only include the following rules :
We can leave the two others out of this PR:
|
|
IMO having those lists of forbidden names is fine, since they are documented on GitLab's docs. For me the important question is if having such exhaustive checking is worth it. @di what do you think? |
|
The purpose of these validators is to prevent likely typos or misunderstandings about what the value of this field should be. I think it's fairly unlikely that a user would frequently be trying to use these forbidden names, and even if they were, it would be fairly clear why it was failing. TL;DR: I don't think being so exhaustive is necessary or worth it. |
I think this could happen frequently enough that it's worth including. |
Agreed! Let's cover those two suffixes but leave the reserved names out. |
…warehouse into dm/validate-gitlab-names
This PR addresses #15852
Notably, it prevents names from :
.atomor.gita-zA-Z0-9The keywords list are extracted from GitLab code. As noted by @facutuesca , this is mostly a cosmetic change, so having unsynchronized lists should not introduce a security risk.
Of note, we could slightly improve the regexes by limiting the number of potential matches to a fixed upper bound and prevent ReDos types of attacks.