When a user schedules an export, we don't validate the permissions for that user in the ProjectExportWorker.
This means that when a user loses access to the project, when they already scheduled the export but it hasn't started yet, we would still process the export
Further context from Marin: "Assigning highest priority and severity because this enables abusers to very easily cause a system degradation that quickly can turn into a full outage. By not losing access, this means that when a user is blocked they can continue triggering the export over and over."
Assigning highest priority and severity because this enables abusers to very easily cause a system degradation that quickly can turn into a full outage. By not losing access, this means that when a user is blocked they can continue triggering the export over and over.
GitLab SecurityBotchanged title from ProjectExportWorker does not take user permissions into account to ESCALATED: ProjectExportWorker does not take user permissions into account
changed title from ProjectExportWorker does not take user permissions into account to ESCALATED: ProjectExportWorker does not take user permissions into account
@ifarkas@lmcandrew would it be possible to please get a status update on this issue, given the priority and severity? I see there's a related MR but it doesn't close this issue. I've moved this to %12.7.
@tipyn, we had a fix already approved by a maintainer on dev pretty much just waiting for the security release. Unfortunately, we changed the security development process a week before the actual release and all MRs were closed and I need to resubmit them according to the new process.
GitLab SecurityBotchanged title from ESCALATED: ProjectExportWorker does not take user permissions into account to ProjectExportWorker does not take user permissions into account
changed title from ESCALATED: ProjectExportWorker does not take user permissions into account to ProjectExportWorker does not take user permissions into account