add allowCodeAccess setting for gitlab (#79)

Author: tpetr

README.md

@@ -113,6 +113,7 @@ inbound:
   gitlab:
     baseUrl: https://gitlab.example.com/api/v4
     token: ...
+    allowCodeAccess: false  # default is false, set to true to allow Semgrep to read file contents
 ```
 
 Under the hood, this config adds these allowlist items:
@@ -126,6 +127,10 @@ Under the hood, this config adds these allowlist items:
 - PUT `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/discussions/:discussion/notes/:note`
 - PUT `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/discussions/:discussion`
 
+And if `allowCodeAccess` is set, additionally:
+
+- GET `https://gitlab.example.com/api/v4/projects/:project/repository/files/:filepath`
+
 ### Bitbucket
 
 Similarly, the `bitbucket` configuration section grants Semgrep access to leave MR comments.

pkg/config.go

@@ -208,8 +208,9 @@ type GitHub struct {
 }
 
 type GitLab struct {
-	BaseURL string `mapstructure:"baseUrl" json:"baseUrl"`
-	Token   string `mapstructure:"token" json:"token"`
+	BaseURL         string `mapstructure:"baseUrl" json:"baseUrl"`
+	Token           string `mapstructure:"token" json:"token"`
+	AllowCodeAccess bool   `mapstructure:"allowCodeAccess" json:"allowCodeAccess"`
 }
 
 type BitBucket struct {
@@ -455,6 +456,17 @@ func LoadConfig(configFiles []string, deploymentId int) (*Config, error) {
 				SetRequestHeaders: headers,
 			},
 		)
+
+		if config.Inbound.GitLab.AllowCodeAccess {
+			config.Inbound.Allowlist = append(config.Inbound.Allowlist,
+				// get contents of file
+				AllowlistItem{
+					URL:               gitLabBaseUrl.JoinPath("/projects/:project/repository/files/:filepath").String(),
+					Methods:           ParseHttpMethods([]string{"GET"}),
+					SetRequestHeaders: headers,
+				},
+			)
+		}
 	}
 
 	if config.Inbound.BitBucket != nil {