**[HackerOne report #420258](https://hackerone.com/reports/420258)** by ngalog on 2018-10-07: ## Impact Attacker could create a project with unlimited repository size as low level privilege user ## Description This is achieved by using the project import function, by changing the value of `"repository_size_limit":null` to `"repository_size_limit":0` in project.json in gitlab export file, then tar with modified project.json, and import the tar file, it will allow user to create project with unlimted repository size ## Steps to reproduce - create project, export the project, download the export - untar the profile with this cmd `tar -vxzf export.tar.gz` - use your favourite text editor to change the project.json, from `"repository_size_limit":null` to `"repository_size_limit":0` - tar all files back with this cmd `tar -cvzf import.tar.gz` - upload the tar import to gitlab.com You will notice that repostiory now has unlimtied repo size. PoC: Look at https://gitlab.com/golduserngalog/importinifinete/ You will see the repo size is unlimited ## Impact Attacker could create a project with unlimited repository size as low level privilege user ## Proposed solution Ignore `repository_size_limit` during Import and rely on a default/inherited value/whichever way it's configured. ## Implementation plan - [ ] ~backend Add `:repository_size_limit` to `excluded_attributes.project` in https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/import_export/project/import_export.yml#L162, - [ ] ~backend remove `:repository_size_limit` from `:Project` in https://gitlab.com/gitlab-org/gitlab/blob/master/spec/lib/gitlab/import_export/safe_model_attributes.yml#L559,