Able to create project with unlimited repository size by Project Import

HackerOne report #420258 by ngalog on 2018-10-07:

Impact

Attacker could create a project with unlimited repository size as low level privilege user

Description

This is achieved by using the project import function, by changing the value of "repository_size_limit":null to "repository_size_limit":0 in project.json in gitlab export file, then tar with modified project.json, and import the tar file, it will allow user to create project with unlimted repository size

Steps to reproduce

• create project, export the project, download the export
• untar the profile with this cmd tar -vxzf export.tar.gz
• use your favourite text editor to change the project.json, from "repository_size_limit":null to "repository_size_limit":0
• tar all files back with this cmd tar -cvzf import.tar.gz
• upload the tar import to gitlab.com

You will notice that repostiory now has unlimtied repo size.

PoC: Look at https://gitlab.com/golduserngalog/importinifinete/

You will see the repo size is unlimited

Impact

Attacker could create a project with unlimited repository size as low level privilege user

Proposed solution

Ignore repository_size_limit during Import and rely on a default/inherited value/whichever way it's configured.

Implementation plan

• backend Add :repository_size_limit to excluded_attributes.project in https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/import_export/project/import_export.yml#L162,
• backend remove :repository_size_limit from :Project in https://gitlab.com/gitlab-org/gitlab/blob/master/spec/lib/gitlab/import_export/safe_model_attributes.yml#L559,