Able to Create -> Tag names cannot start with `-`, `refs/heads`, `refs/tags`, or `refs/remotes`

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2710713 by nexusghostt on 2024-09-10, assigned to @cmaxim:

Report | Attachments | How To Reproduce

Report

Hi team ,

Gitlab Recently Fixed security issue where user not allowed to create tag name with SHA1 or SHA256 -

see here - #437103 (closed)

hackerone - https://hackerone.com/reports/2299337

now see this commit -GitLab implemented a check for security purposes that prevents -> Tag names cannot start with -, refs/heads, refs/tags, or refs/remotes

here link - 5146cc01

Steps to reproduce

1.User Created a group and project at https//gitlab.com

2.navigate projects > create tag name >start with -, refs/heads, refs/tags, or refs/remotes

3. tags created succesfully there

see here

What is the current bug behavior?

tag with start with -, refs/heads, refs/tags, or `refs/remotes created successfully

What is the expected correct behavior?
tags should not be created.

Output of checks
This bug happens on GitLab.com

.

Impact

Impact -

Gitlab prevented it for some securty concerns but It was missing to implemented working properly at https://gitlab.com, Attacker user can create tags start with -, refs/heads, refs/tags, or `refs/remotes created successfully.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• IMG-20240910-WA0002.jpg
• IMG-20240910-WA0001.jpg

How To Reproduce

Please add reproducibility information to this section: