Selectively hide fork information a user shouldn't be able to see (!82639) · Merge requests · GitLab.org / GitLab

Gary Holtz requested to merge 293737-hide-unauthorized-information-from-forks-index into master Mar 10, 2022

What does this MR do and why?

If someone changes access to the repository, MRs, or issues to "Project members only" in a fork, that information is still available in the list of forks of the original project.

As described in issue #293737 (closed):

If the malicious user can create a popular project, he can monitor repository commits of companies who use his open-source project template! And accessing forks, MRs, issues count is a big violation

NOTE: As per #293737 (comment 721895324), this can be fixed outside of the normal security process.

Screenshots or screen recordings

Before:

After:

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #293737 (closed)

Edited Mar 15, 2022 by Gary Holtz

Selectively hide fork information a user shouldn't be able to see