Forks of public projects by project members can leak codebase
Summary
There are public projects that intentionally restrict visibility of the source code to only project members. (for example: https://gitlab.com/gitlab-org/customers-gitlab-com)
Project members can fork these projects into another namespace to test changes without impacting the upstream project.
A project member clicking "Fork" will copy the project, but not the project visibility settings. This can lead to unintentionally exposing proprietary source code never intended for public consumption.
Steps to reproduce
- Create public project in a group namespace.
- Set repository view/edit access to "Only Project Members"
- Verify that project source code is not publicly visible using different browser or incognito mode
- Fork this project into your personal namespace.
- Verify that the project source code on the fork is publicly visible.
Results of not realizing this happened: https://gitlab.com/gitlab-com/gl-security/security-operations/sirt/operations/-/issues/1454
Example Project
https://gitlab.com/gitlab-org/customers-gitlab-com (any GitLab team member forking this project will publicly expose the source code)
What is the current bug behavior?
As a project member, forking a project with Repository visibility set to "Only Project Members" creates a project where Repository is visible to all.
What is the expected correct behavior?
Project members forking a project with Repository visibility set to "Only Project Members" have their fork's Repository visibility also configured to "Only Project Members" (perhaps with them as the only member?)
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
Example of how this can unintentionally leak data
https://gitlab.com/gitlab-com/gl-security/security-operations/sirt/operations/-/issues/1454