2025-07-20 17:51:44 +00:00 · 2025-07-08 14:35:41 +00:00
parent d3fd3709be
commit 226654c061
8 changed files with 164 additions and 8 deletions
--- a/app/assets/javascripts/repository/components/blob_content_viewer.vue
+++ b/app/assets/javascripts/repository/components/blob_content_viewer.vue
@ -313,7 +313,9 @@ export default {

          await this.$nextTick();
          handleLocationHash(); // Ensures that we scroll to the hash when async content is loaded
-          eventHub.$emit('showBlobInteractionZones', this.blobInfo.path);
+          if (type === SIMPLE_BLOB_VIEWER) {
+            eventHub.$emit('showBlobInteractionZones', this.blobInfo.path);
+          }
        })
        .catch(() => this.displayError())
        .finally(() => {
--- a/app/models/ci/pipeline.rb
+++ b/app/models/ci/pipeline.rb
@ -1312,6 +1312,10 @@ module Ci
      merge_request_id.present? && merge_request.present?
    end

+    def merge_request_from_forked_project?
+      merge_request? && merge_request.for_fork?
+    end
+
    def external_pull_request?
      external_pull_request_id.present?
    end
@ -1581,7 +1585,7 @@ module Ci
      return false unless project.protect_merge_request_pipelines?

      # Exposing protected variables to MR Pipelines is explicitly prohibited for cross-project MRs
-      return false unless merge_request.source_project_id == merge_request.target_project_id
+      return false unless merge_request.for_same_project?

      access = Gitlab::UserAccess.new(user, container: project)
      # Exposing protected variables to MR Pipelines is not allowed if user who created the pipeline CANNOT update the source branch
--- a/lib/gitlab/ci/jwt.rb
+++ b/lib/gitlab/ci/jwt.rb
@ -21,7 +21,7 @@ module Gitlab

      attr_reader :build, :ttl

-      delegate :project, :user, :pipeline, :runner, to: :build
+      delegate :user, :pipeline, :runner, to: :build
      delegate :source_ref, :source_ref_path, to: :pipeline

      def default_payload
@ -87,6 +87,12 @@ module Gitlab
      def environment_protected?
        false # Overridden in EE
      end
+
+      def project
+        return pipeline.merge_request.source_project if pipeline.merge_request_from_forked_project?
+
+        build.project
+      end
    end
  end
 end
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@ -61243,6 +61243,9 @@ msgstr ""
 msgid "Target branches"
 msgstr ""

+msgid "Target group prevents forks that point outside this group"
+msgstr ""
+
 msgid "Target project cannot be equal to source project"
 msgstr ""

--- a/spec/frontend/repository/components/blob_content_viewer_spec.js
+++ b/spec/frontend/repository/components/blob_content_viewer_spec.js
@ -31,6 +31,7 @@ import { HTTP_STATUS_INTERNAL_SERVER_ERROR, HTTP_STATUS_OK } from '~/lib/utils/h
 import LineHighlighter from '~/blob/line_highlighter';
 import { LEGACY_FILE_TYPES } from '~/repository/constants';
 import { SIMPLE_BLOB_VIEWER, RICH_BLOB_VIEWER } from '~/blob/components/constants';
+import eventHub from '~/notes/event_hub';
 import {
  simpleViewerMock,
  richViewerMock,
@ -277,6 +278,28 @@ describe('Blob content viewer component', () => {
        },
      );

+      describe('code navigation', () => {
+        const setup = async (viewer, viewerType) => {
+          jest.spyOn(eventHub, '$emit').mockImplementation();
+          mockAxios
+            .onGet(`/some_file.js?format=json&viewer=${viewerType}`)
+            .replyOnce(HTTP_STATUS_OK, 'test');
+          await createComponent({ blob: viewer });
+        };
+
+        it('emits showBlobInteractionZones for text files', async () => {
+          await setup(simpleViewerMock, 'simple');
+
+          expect(eventHub.$emit).toHaveBeenCalledWith('showBlobInteractionZones', 'some_file.js');
+        });
+
+        it('does not emit showBlobInteractionZones non-text files', async () => {
+          await setup(richViewerMock, 'rich');
+
+          expect(eventHub.$emit).not.toHaveBeenCalled();
+        });
+      });
+
      it('loads the LineHighlighter', async () => {
        mockAxios.onGet(legacyViewerUrl).replyOnce(HTTP_STATUS_OK, 'test');
        await createComponent({ blob: { ...simpleViewerMock, fileType } });
--- a/spec/lib/gitlab/ci/jwt_spec.rb
+++ b/spec/lib/gitlab/ci/jwt_spec.rb
@ -3,6 +3,7 @@
 require 'spec_helper'

 RSpec.describe Gitlab::Ci::Jwt, feature_category: :secrets_management do
+  include ProjectForksHelper
  let(:namespace) { build_stubbed(:namespace) }
  let(:project) { build_stubbed(:project, namespace: namespace) }
  let_it_be(:user) { create(:user) }
@ -229,6 +230,41 @@ RSpec.describe Gitlab::Ci::Jwt, feature_category: :secrets_management do
        end
      end
    end
+
+    context 'when the pipeline is for a merge request from a forked project' do
+      let_it_be(:target_project_namespace) { create(:namespace) }
+      let_it_be(:target_project) { create(:project, namespace: target_project_namespace) }
+      let_it_be(:forked_project_namespace) { create(:namespace) }
+      let_it_be(:forked_project) do
+        fork_project(target_project, nil, repository: true, namespace: forked_project_namespace)
+      end
+
+      let_it_be(:merge_request) do
+        build_stubbed(:merge_request, source_project: forked_project, source_branch: 'feature',
+          target_project: target_project, target_branch: 'master')
+      end
+
+      let_it_be(:pipeline) do
+        build_stubbed(:ci_pipeline, source: :merge_request_event, merge_request: merge_request,
+          project: target_project, user: user)
+      end
+
+      let_it_be(:build) do
+        build_stubbed(
+          :ci_build,
+          project: target_project,
+          user: user,
+          pipeline: pipeline
+        )
+      end
+
+      it 'sets the project to the source project of the merge request' do
+        expect(payload[:project_id]).to eq(forked_project.id.to_s)
+        expect(payload[:project_path]).to eq(forked_project.full_path)
+        expect(payload[:namespace_id]).to eq(forked_project_namespace.id.to_s)
+        expect(payload[:namespace_path]).to eq(forked_project_namespace.full_path)
+      end
+    end
  end

  describe '.for_build' do
--- a/spec/lib/gitlab/ci/jwt_v2_spec.rb
+++ b/spec/lib/gitlab/ci/jwt_v2_spec.rb
@ -3,6 +3,7 @@
 require 'spec_helper'

 RSpec.describe Gitlab::Ci::JwtV2, feature_category: :secrets_management do
+  include ProjectForksHelper
  let(:namespace) { build_stubbed(:namespace) }
  let(:project) { build_stubbed(:project, namespace: namespace) }
  let(:user) do
@ -234,5 +235,42 @@ RSpec.describe Gitlab::Ci::JwtV2, feature_category: :secrets_management do
        expect(payload[:iss]).to eq(custom_issuer_url)
      end
    end
+
+    context 'when the pipeline is for a merge request from a forked project' do
+      let_it_be(:target_project_namespace) { create(:namespace) }
+      let_it_be(:target_project) { create(:project, namespace: target_project_namespace) }
+      let_it_be(:forked_project_namespace) { create(:namespace) }
+      let_it_be(:forked_project) do
+        fork_project(target_project, nil, repository: true, namespace: forked_project_namespace)
+      end
+
+      let(:merge_request) do
+        build_stubbed(:merge_request, source_project: forked_project, source_branch: 'feature',
+          target_project: target_project, target_branch: 'master')
+      end
+
+      let(:pipeline) do
+        build_stubbed(:ci_pipeline, source: :merge_request_event, merge_request: merge_request,
+          project: target_project, user: user)
+      end
+
+      let(:build) do
+        build_stubbed(
+          :ci_build,
+          project: target_project,
+          user: user,
+          pipeline: pipeline
+        )
+      end
+
+      it 'sets the project to the source project of the merge request' do
+        expect(payload[:project_id]).to eq(forked_project.id.to_s)
+        expect(payload[:project_path]).to eq(forked_project.full_path)
+        expect(payload[:namespace_id]).to eq(forked_project_namespace.id.to_s)
+        expect(payload[:namespace_path]).to eq(forked_project_namespace.full_path)
+        expect(payload[:sub])
+        .to eq("project_path:#{forked_project.full_path}:ref_type:branch:ref:#{pipeline.source_ref}")
+      end
+    end
  end
 end
--- a/spec/models/ci/pipeline_spec.rb
+++ b/spec/models/ci/pipeline_spec.rb
@ -992,6 +992,50 @@ RSpec.describe Ci::Pipeline, :mailer, factory_default: :keep, feature_category:
    end
  end

+  describe '#merge_request_from_forked_project?' do
+    context 'merge request from a forked project' do
+      let_it_be(:forked_project) do
+        fork_project(project, nil, repository: true)
+      end
+
+      let_it_be(:merge_request_from_forked_project) do
+        create(:merge_request, source_project: forked_project, target_project: project)
+      end
+
+      let_it_be(:forked_project_merge_request_pipeline) do
+        create(:ci_pipeline, project: project, merge_request: merge_request_from_forked_project)
+      end
+
+      it 'returns true for pipelines from a forked project' do
+        expect(forked_project_merge_request_pipeline).to be_merge_request_from_forked_project
+      end
+    end
+
+    context 'merge request from the same project' do
+      let_it_be(:same_project_merge_request) do
+        create(:merge_request, source_project: project, target_project: project)
+      end
+
+      let_it_be(:same_project_merge_request_pipeline) do
+        create(:ci_pipeline, project: project, merge_request: same_project_merge_request)
+      end
+
+      it 'returns false for pipelines from the same project' do
+        expect(same_project_merge_request_pipeline).not_to be_merge_request_from_forked_project
+      end
+    end
+
+    context 'when merge request is nil' do
+      let_it_be(:non_merge_request_pipeline) do
+        create(:ci_pipeline, project: project, merge_request_id: nil)
+      end
+
+      it 'returns false for pipelines without a merge request' do
+        expect(non_merge_request_pipeline).not_to be_merge_request_from_forked_project
+      end
+    end
+  end
+
  describe '#detached_merge_request_pipeline?' do
    subject { pipeline.detached_merge_request_pipeline? }

@ -1597,8 +1641,8 @@ RSpec.describe Ci::Pipeline, :mailer, factory_default: :keep, feature_category:
    context 'when pipeline is for a merge request' do
      let(:pipeline) { create(:ci_pipeline, source: :merge_request_event, merge_request: merge_request, project: project, user: project.owner) }

-      let_it_be(:merge_request) do
-        create(:merge_request, source_project: project, source_branch: 'feature', target_project: project, target_branch: 'master')
+      let(:merge_request) do
+        build_stubbed(:merge_request, source_project: project, source_branch: 'feature', target_project: project, target_branch: 'master')
      end

      context 'when protect_merge_request_pipelines setting is enabled' do
@ -1646,9 +1690,9 @@ RSpec.describe Ci::Pipeline, :mailer, factory_default: :keep, feature_category:
        end

        context 'when the merge request is from a forked project' do
-          let_it_be(:forked_project) { fork_project(project, nil, repository: true) }
-          let_it_be(:merge_request) do
-            create(:merge_request, source_project: forked_project, source_branch: 'feature', target_project: project, target_branch: 'master')
+          let(:forked_project) { fork_project(project, nil, repository: true) }
+          let(:merge_request) do
+            build_stubbed(:merge_request, source_project: forked_project, source_branch: 'feature', target_project: project, target_branch: 'master')
          end

          it 'returns false even if both the source and target branches are protected' do