From 0df979807ccc52aea22d4759c5e63962d6cedb0c Mon Sep 17 00:00:00 2001 From: Craig Smith <5344211-craigmsmith@users.noreply.gitlab.com> Date: Mon, 13 Oct 2025 16:05:12 +1000 Subject: [PATCH 1/2] Work in progress --- ee/lib/ee/gitlab/git_access.rb | 9 ++++++--- .../secret_push_protection/secrets_check.rb | 19 +++++++++++++++++++ 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/ee/lib/ee/gitlab/git_access.rb b/ee/lib/ee/gitlab/git_access.rb index 4ff78ba9050ca3..6d6ab39f8fe43b 100644 --- a/ee/lib/ee/gitlab/git_access.rb +++ b/ee/lib/ee/gitlab/git_access.rb @@ -14,6 +14,8 @@ module GitAccess override :check def check(cmd, changes) + pp "EE GitAccess#check called - RequestStore object_id: #{::Gitlab::SafeRequestStore.object_id}" + check_maintenance_mode!(cmd) check_geo_license! check_smartcard_access! @@ -82,9 +84,10 @@ def check_custom_ssh_action! override :check_for_console_messages def check_for_console_messages - super.push( - *current_replication_lag_message - ) + pp "check_for_console_messages - RequestStore object_id: #{::Gitlab::SafeRequestStore.object_id}" + pp "SPP message: #{::Gitlab::SafeRequestStore[:spp_warning_message]}" + + super.push(*current_replication_lag_message) end override :check_download_access! diff --git a/ee/lib/gitlab/checks/secret_push_protection/secrets_check.rb b/ee/lib/gitlab/checks/secret_push_protection/secrets_check.rb index 4bccb64e9b6abf..1b18cc7316c3ab 100644 --- a/ee/lib/gitlab/checks/secret_push_protection/secrets_check.rb +++ b/ee/lib/gitlab/checks/secret_push_protection/secrets_check.rb @@ -72,6 +72,7 @@ def run_validation_dark_launch! end def run_validation! + pp "SPP run_validation! called" return unless eligibility_checker.should_scan? audit_logger.track_spp_scan_executed('regular') @@ -81,6 +82,8 @@ def run_validation! logger.log_timed(LOG_MESSAGES[:secrets_check]) do payloads = payload_processor.standardize_payloads + raise StandardError.new("This is a test message") + thread = Thread.new do # This is to help identify the thread in case of a crash Thread.current.name = "secrets_check" @@ -121,6 +124,22 @@ def run_validation! message = format(ERROR_MESSAGES[:scan_initialization_error], { error_msg: e.message }) secret_detection_logger.error(build_structured_payload(message:)) + rescue ::Gitlab::GitAccess::ForbiddenError + # Re-raise to ensure secrets still block pushes + raise + rescue StandardError => e + # Catch all other unexpected errors + ::Gitlab::ErrorTracking.track_exception(e) + secret_detection_logger.error( + build_structured_payload( + message: "Secret push protection failed: #{e.message}", + error_class: e.class.name + ) + ) + + # Store warning message for display + ::Gitlab::SafeRequestStore[:spp_warning_message] = + 'Secret detection scan encountered an error. Your push was allowed, but please verify no secrets were committed.' ensure # clean up the thread thread&.exit -- GitLab From 145f576a05b41ab9894280fd2e09c505e4baadfa Mon Sep 17 00:00:00 2001 From: Craig Smith <5344211-craigmsmith@users.noreply.gitlab.com> Date: Mon, 13 Oct 2025 16:10:29 +1000 Subject: [PATCH 2/2] Work in progress --- ee/lib/ee/gitlab/git_access.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ee/lib/ee/gitlab/git_access.rb b/ee/lib/ee/gitlab/git_access.rb index 6d6ab39f8fe43b..4ecd806924a17d 100644 --- a/ee/lib/ee/gitlab/git_access.rb +++ b/ee/lib/ee/gitlab/git_access.rb @@ -87,7 +87,10 @@ def check_for_console_messages pp "check_for_console_messages - RequestStore object_id: #{::Gitlab::SafeRequestStore.object_id}" pp "SPP message: #{::Gitlab::SafeRequestStore[:spp_warning_message]}" - super.push(*current_replication_lag_message) + messages = [*current_replication_lag_message] + messages.push(::Gitlab::SafeRequestStore[:spp_warning_message]) + + super.push(*messages) end override :check_download_access! -- GitLab