Commit messages can accidentally cause tagging of users or groups

Summary

Adding a commit message containing a @group or @user to an MR will cause that group/user to become a Participant in the MR.

Screenshot from blackstream-x/postleid!3 (merged) where the user has accidentally tagged all GitLab Pages group members:

Screenshot_2023-11-14_at_16.20.16

Steps to reproduce

  1. Open an MR
  2. Add a commit to the MR containing @group or @user as commit message title
  3. See the group members or user now being a participant in the MR

Example Project

blackstream-x/postleid!3 (merged)

What is the current bug behavior?

The user can tag any public group or user in a commit message (that may or may not be written using the GitLab UI)

What is the expected correct behavior?

The user can tag only public users or groups of organisations they are a member of. In all other cases the commit message remains a plaintext string.

Output of checks

This bug happens on GitLab.com

Possible fixes

Edited by 🤖 GitLab Bot 🤖