From ef8e59f65976c81ab37cabcdaf98a561ce4ed5ba Mon Sep 17 00:00:00 2001
From: Tom Petr <tom@r2c.dev>
Date: Thu, 25 Jul 2024 08:24:26 -0400
Subject: [PATCH] add allowCodeAccess setting for gitlab (#79)

---
 README.md     |  5 +++++
 pkg/config.go | 16 ++++++++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index df711d6..644ea89 100644
--- a/README.md
+++ b/README.md
@@ -113,6 +113,7 @@ inbound:
   gitlab:
     baseUrl: https://gitlab.example.com/api/v4
     token: ...
+    allowCodeAccess: false  # default is false, set to true to allow Semgrep to read file contents
 ```
 
 Under the hood, this config adds these allowlist items:
@@ -126,6 +127,10 @@ Under the hood, this config adds these allowlist items:
 - PUT `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/discussions/:discussion/notes/:note`
 - PUT `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/discussions/:discussion`
 
+And if `allowCodeAccess` is set, additionally:
+
+- GET `https://gitlab.example.com/api/v4/projects/:project/repository/files/:filepath`
+
 ### Bitbucket
 
 Similarly, the `bitbucket` configuration section grants Semgrep access to leave MR comments.
diff --git a/pkg/config.go b/pkg/config.go
index b96fe59..f4b3a7e 100644
--- a/pkg/config.go
+++ b/pkg/config.go
@@ -208,8 +208,9 @@ type GitHub struct {
 }
 
 type GitLab struct {
-	BaseURL string `mapstructure:"baseUrl" json:"baseUrl"`
-	Token   string `mapstructure:"token" json:"token"`
+	BaseURL         string `mapstructure:"baseUrl" json:"baseUrl"`
+	Token           string `mapstructure:"token" json:"token"`
+	AllowCodeAccess bool   `mapstructure:"allowCodeAccess" json:"allowCodeAccess"`
 }
 
 type BitBucket struct {
@@ -455,6 +456,17 @@ func LoadConfig(configFiles []string, deploymentId int) (*Config, error) {
 				SetRequestHeaders: headers,
 			},
 		)
+
+		if config.Inbound.GitLab.AllowCodeAccess {
+			config.Inbound.Allowlist = append(config.Inbound.Allowlist,
+				// get contents of file
+				AllowlistItem{
+					URL:               gitLabBaseUrl.JoinPath("/projects/:project/repository/files/:filepath").String(),
+					Methods:           ParseHttpMethods([]string{"GET"}),
+					SetRequestHeaders: headers,
+				},
+			)
+		}
 	}
 
 	if config.Inbound.BitBucket != nil {