Exploit in mirroring and CI allows theft of other user's repositories

This was reported via a support web form. I don't believe the reporter understands the full implications of this vulnerability.

The EE mirroring feature can be abused to steal repositories from other users (and probably more).

Create a project and repository.
Create a mirror of that project.
Grant another user/victim master rights to the mirror.
Assign them as the "mirror user" on the mirror and enable "Trigger pipelines for mirror updates".
Change the .gitlab-ci.yml file on the original repository to include a command such as: git clone https://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.example.com/root/myprivproj.git

This code now executes in the victim user's context. Their CI variables can be used to steal their projects.