Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #332609
Closed
Open
Issue created Jun 03, 2021 by Greg Myers@gregDeveloper

Forks of public projects by project members can leak codebase

Summary

There are public projects that intentionally restrict visibility of the source code to only project members. (for example: https://gitlab.com/gitlab-org/customers-gitlab-com)

Project members can fork these projects into another namespace to test changes without impacting the upstream project.

A project member clicking "Fork" will copy the project, but not the project visibility settings. This can lead to unintentionally exposing proprietary source code never intended for public consumption.

Steps to reproduce

  1. Create public project in a group namespace.
  2. Set repository view/edit access to "Only Project Members" image
  3. Verify that project source code is not publicly visible using different browser or incognito mode
  4. Fork this project into your personal namespace.
  5. Verify that the project source code on the fork is publicly visible.

Results of not realizing this happened: https://gitlab.com/gitlab-com/gl-security/security-operations/sirt/operations/-/issues/1454

Example Project

https://gitlab.com/gitlab-org/customers-gitlab-com (any GitLab team member forking this project will publicly expose the source code)

What is the current bug behavior?

As a project member, forking a project with Repository visibility set to "Only Project Members" creates a project where Repository is visible to all.

What is the expected correct behavior?

Project members forking a project with Repository visibility set to "Only Project Members" have their fork's Repository visibility also configured to "Only Project Members" (perhaps with them as the only member?)

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of: sudo gitlab-rake gitlab:check SANITIZE=true)

(For installations from source run and paste the output of: sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)

(we will only investigate if the tests are passing)

Possible fixes

Example of how this can unintentionally leak data

https://gitlab.com/gitlab-com/gl-security/security-operations/sirt/operations/-/issues/1454

Edited Jun 04, 2021 by Greg Myers
Assignee
Assign to
Time tracking