Skip to content

Namespace#force_share_with_group_lock_on_descendants will always update ALL namespaces, ignoring the output of `Namespace#descendants`

Found as part of https://gitlab.com/gitlab-com/infrastructure/issues/2773:

Namespace.find_by(path: 'gitlab-org').send(:force_share_with_group_lock_on_descendants)

This will produce:

UPDATE "namespaces" SET "share_with_group_lock" = 't'

This is a massive issue since it allows one to:

  1. Set share_with_group_lock for everybody (which at this point has probably already messed up namespaces)
  2. DoS attack GitLab.com by triggering this procedure many times

This needs to be fixed ASAP as we're already getting hit by this on GitLab.com.

cc @mkozono