Clever Geek Handbook

Block uploading private keys, archives, large files and not only in Gitlab CE

Git hooks are a tool to help keep your repository in order. You can set up automatic rules for processing your commits.



All of you probably know about pre-commit - checking your code before committing. But not everything can be checked before committing. Some restrictions want to be used globally throughout Gitlab.



For anyone confused about pre-commit and pre-receive hooks, this post describes the differences between them in the "What are git hooks?"



If you have Gitlab Enterprise Edition, you can configure the hooks described in the post via the WEB interface.



But what if you have Gitlab Community (Core) Edition?



This article will describe 5 pre-receive hooks that run on the Gitlab Community (Core) Edition server:



  • block_confidentials.sh - Blocking sending private keys and AWS tokens
  • block_file_extensions.sh - Blocking sending archives (Regex configurable)
  • check-large-files.sh - Blocking sending large files (Size configurable)
  • reject-not-allowlist-email.sh - Blocking commits with email not from the allow list (The list of email domains is configurable)
  • require-issue.sh - Blocking commits without an issue in the title (The issue list is configurable)


Most of the hooks are taken from the platform-samples repository in the pre-receive-hooks directory (applies to GitHub Enterprise).



You can look at all the source code of the server hooks on Github .



Installing on Gitlab



  • You need to create a directory /opt/gitlab/embedded/service/gitlab-shell/hooks/pre-receive.d/
  • Copy hooks to this directory
  • Do not forget to set launch rights for hooks (chmod + x hook file)


Blocking sending private keys and AWS tokens



block_confidentials.sh regex_list, .



# Define list of REGEX to be searched and blocked
regex_list=(
  # block any private key file
  '(\-){5}BEGIN\s?(RSA|OPENSSH|DSA|EC|PGP)?\s?PRIVATE KEY\s?(BLOCK)?(\-){5}.*'
  # block AWS API Keys
  'AKIA[0-9A-Z]{16}'
  # block AWS Secret Access Key (TODO: adjust to not find validd Git SHA1s; false positives)
  # '([^A-Za-z0-9/+=])?([A-Za-z0-9/+=]{40})([^A-Za-z0-9/+=])?'
  # block confidential content
  'CONFIDENTIAL'
)


, git push .







block_file_extensions.sh case *.zip|*.gz|*.tgz, , .



zip , git push .







check-large-files.sh maxsize, , .



1 , git push .





email allow



reject-not-allowlist-email.sh email-, .



declare -a DOMAIN_ARRAY=("group1.com" "group2.com")


git , .



git config user.email user1@group3.com


, git push .





issue



Majilesh.



require-issue.sh commit_format, .



commit_format="(JIRA|PROJECTKEY|MULE|ECOM|SAP|XLR-[1-9]+Merge)"


, , commit_format git push .





.



Telegram- Gitlab



More articles:


All Articles