There's currentyly a code security concern with Review Board: code can be

approved in Review Board, but then altered and pushed to a remote repository,

without any way to block this.
This concern can be addressed using repository hooks. This change updates our

Git pre-receive script to ensure that the files and diffs on the user's

machine matches the files and diffs posted on the review request. To do this,

we compare the local diff to the diff posted on the review request, and

compare the local patched file's SHA with the SHA stored on the Review

Board server. For binary files, only the diffs get compared since we don't

store patched file SHAs for them.
The script already checks for review request approval, so this ensures that

only approved code can be pushed.
This only solves the concern for Git repositories. In the future we can

apply the same idea for our Perforce script.

Tested running the script locally and set up as a server side hook script

  for a GitLab repository for the following cases:
With a review request containing multiple commits where files match,

  and where at least one file doesn't match.
With a review request containing one commit where files match,

  and where at least one file doesn't match.
When unable to generate a local diff.
When unable to fetch the diff from the Review Board server.
When unable to load the file diff's patched_sha256 and/or patched_sha1

  file.
Tested with text-based files that end with newlines, and ones that don't end

  with newlines.
Tested with binary files (image files).
Tested with git blob SHAs in a diff not matching the ones posted on the

  review request, and was able to push the changes for that review request.