Prevent overwriting merge request refs
Summary
Git references aren't validated on push. Mentioned in a ticket: https://gitlab.zendesk.com/agent/tickets/71104
Steps to reproduce
# Using GitLab CE 9.0.0
#
# As an admin:
gitlab-harish:9.0(test_branch)$ git push docker HEAD:test_branch
**snip**
To http://192.168.227.128:8888/harish/rails_01.git
* [new branch] HEAD -> test_branch
gitlab-harish:9.0(testing_01)$ git push docker HEAD:refs/merge-requests/75/head -f
Total 0 (delta 0), reused 0 (delta 0)
To http://192.168.227.128:8888/harish/rails_01.git
* [new branch] HEAD -> refs/merge-requests/75/head
gitlab-harish:9.0(testing_01)$ git ls-remote docker | grep merge-requests/75
09d7b8aa3237d270a1456ba3abb19d96b60a9946 refs/merge-requests/75/head
gitlab-harish:9.0(testing_01)$ git push docker :refs/merge-requests/75/head
To http://192.168.227.128:8888/harish/rails_01.git
- [deleted] refs/merge-requests/75/head
#
# As a non-admin developer:
gitlab-harish:9.0(testing_01)$ git push docker HEAD:refs/heads/testing_01
**snip**
To http://192.168.227.128:8888/harish/rails_01.git
* [new branch] HEAD -> testing_01
gitlab-harish:9.0(testing_01)$ git push docker HEAD:refs/merge-requests/73/head -f
Total 0 (delta 0), reused 0 (delta 0)
To http://192.168.227.128:8888/harish/rails_01.git
* [new branch] HEAD -> refs/merge-requests/73/head
gitlab-harish:9.0(testing_01)$ git ls-remote docker | grep merge-requests
02a95d99dee2f093287df56ceb3f84cd56d86c7b refs/merge-requests/73/head
gitlab-harish:9.0(testing_01)$ git push docker :refs/merge-requests/73/head
To http://192.168.227.128:8888/harish/rails_01.git
- [deleted] refs/merge-requests/73/headWhat is the current bug behavior?
Git references are not validated when being pushed. They should be so branches are not created this way.
What is the expected correct behavior?
References should be validated when pushed.
Results of GitLab environment info
GitLab 9.0.0 CE
Results of GitLab application Check
All checks pass.
Possible fixes
Unknown
Edited by James Ramsay (ex-GitLab)