Blocked IP address can still get the whole repo by using Run CI/CD for external repository to connect IP restricted repository

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1941803 by ali_shehab on 2023-04-11, assigned to @dcouture:

Report | How To Reproduce

Original report hidden, simpler repro below

Report

Summary

Hi team, hope you are well. You may block IP address because you only want this repo to be accessible by a specific IP address. However, it is still possible to get the whole repo with all its files by connecting to the repo while creating the project.

Steps To Reproduce

1. Create 2 accounts A and B.
2. Login from account A.
3. Create a group with an ultimate trail and create a project inside the group.
4. Now add any files in the project.
5. Go to group => settings => permission group and features and restrict ip address of account B.
6. Now log in from account B and try to access the project created by the group.
7. You will get 404 as your IP address is blocked, however, you can still see the project repo by the following steps.
8. Now go to create a project and choose Run CI/CD for external repository
9. Create the project.
10. you will be able to all the files of the repo although your IP address was blocked.

Impact

A user that his ip is restricted can still view the repo of the project.

How To Reproduce

Please add reproducibility information to this section:

1. Create a public group and restrict IP address in the settings
2. Create a public project under it
3. `git clone .git

Try it with git clone https://gitlab.com/repro_1941803/test.git