"demo.key" file creation in UI not blocked by secret prevention Push Rules
Summary
A large Self-Managed Ultimate customer tried to use the option to prevent pushing secrets to the repository but was still able to create a file named demo.key by using the browser-based file creation flow.
Steps to reproduce
- Enable the option to prevent pushing secrets
- Go to a project and use the
+button to add a new file with a name that should be blocked
Example Project
Example project is not available.
Video snippet here (team members only)
What is the current bug behavior?
File is allowed to be created
What is the expected correct behavior?
File is not allowed to be created
Relevant logs and/or screenshots
See video above
Output of checks
Can be gathered if needed
Results of GitLab environment info
Can be gathered if needed.
Version 14.9.2, Self-Managed, Ultimate
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Can be gathered if needed
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)