Skip to content

Disabled repos on public projects can still be cloned

Users are still able to download code from public projects with repository
disabled or restricted only for team members.

Steps to reproduce

  1. Create a project with public visibility level
  2. Go to project settings and set repository permissions to disabled or **only team members **
  3. Try to clone this same project without being a project member.

Expected behavior

User should see a 403 error

Actual behavior

Repository is being cloned!!!

Relevant logs and/or screenshots

We should also improve the description of public visibility level since now
public projects can have restricted repositories

public-visibility

Possible fixes

check app/controllers/projects/git_http_controller.rb:78

  def upload_pack_allowed?
    return false unless Gitlab.config.gitlab_shell.upload_pack

    if user
      access_check.allowed?
    else
      ci? || project.public?
    end
  end

We should improve the permissions check here and look for other security issues about cloning and pushing code when project is public.