:warning: **Please read [the process](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/developer.md) on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.** **[HackerOne report #2299337](https://hackerone.com/reports/2299337)** by `aaron_dewes` on 2023-12-29, assigned to `GitLab Team`: [Report](#report) | [How To Reproduce](#how-to-reproduce) ## Report > NOTE! Thanks for submitting a report! Please note that initial triage is handled by HackerOne staff. They are identified with a `HackerOne triage` badge and will escalate to the GitLab team any. Please replace *all* the (parenthesized) sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! ##### Summary GitLab recently implemented a check for security purposes that prevents tags or branches to be named with a SHA1 or SHA256 tag name (https://gitlab.com/gitlab-org/gitlab/-/commit/5146cc013520a950b16bdf71e7849970dc0e3e07). ##### Steps to reproduce 1. Create a repository with a branch or tag name that is also a commit name (SHA1 or SHA256) and upload it on any external Git provider 2. Import it to GitLab. ##### Impact I am not sure what impacts you estimated with the original bug fix, but it was security related. Some things I can imagine: - If an imported pipeline from the recently launched CI/CD catalog is pinned to a commit https://about.gitlab.com/blog/2023/12/21/introducing-the-gitlab-ci-cd-catalog-beta/, this may be used to replace the commit with a git tag of the same name with different code. - Any local code by users that rely on a certain commit ("git checkout ...") could be manipulated. ##### Examples Not sure if necessary, if you need it, please let me know. ##### What is the current *bug* behavior? Branch or tag with the 40-character hex name gets created. ##### What is the expected *correct* behavior? Branch or tag can not be created. ##### Relevant logs and/or screenshots ##### Output of checks This bug happens on GitLab.com ###### Results of GitLab environment info #### Impact This field is duplicated in the "create report" form for some reason, so please check above. ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues