Predefined push rule "Prevent pushing secret files" does not apply on first push with branch creation
Summary
When the Prevent pushing secret files
Push Rule is enabled, it does not apply on the initial commit when a branch does not already exist, and thus is bypassed.
Steps to reproduce
-
Enable the Push Rule to
Prevent pushing secret files
. For sake of example, we'll set this across the entire GitLab instance. -
Create a new blank project, but do not Initialize it with a README file.
-
You'll should now see
The repository for this project is empty
. -
Try to add a file with a name that should cause it to be blocked by the push rule, into the repository either via the web interface, or by pushing from git on your local machine. For sake of example, you can try pushing a file named
id_rsa
. -
The file will be pushed into the repository, bypassing the Push Rule.
-
Any subsequent commits that attempt to add files that should be denied by the Push Rule, will be blocked as intended. For example, try to push a file named
id_ed25519
into the repo at this point, and you'll see:remote: GitLab: File name id_ed25519 was prohibited by the pattern "id_ed25519$".
-
If during project creation, you selected the option to
Initialize repository with a README
- then you wouldn't encounter this behavior, and attempting to push a file that should be denied by the push rule, would fail as expected.
What is the current bug behavior?
The Push Rule does not stop a user from pushing secret files into a repository on this initial push where a branch is not already created. This may not actually be a "bug", but could be intended behavior based on the Push Rule's logic.
What is the expected correct behavior?
From a user perspective, perhaps the general interpretation of this Push Rule's intention may mean there is an expectation for this sort of edge case to be caught by the rule. As such, pushing secret files should still be blocked in this edge case.
GitLab environment info
This was was tested and replicated on:
- GitLab Enterprise Edition 14.8.2-ee
- GitLab.com