gitlab / securing public repositories

gitlab / securing public repositories

  • Written by
    Walter Doekes
  • Published on

In the past, GitLab repositories were created with Public Visibility by default. Now they have a more sensible security setting. Still, it can be nice to assert that public repositories are not Public-by-Accident.

How? Well, one fix is to check that Public repositories are in a whitelisted public namespace (e.g. /public/). That way it’s immediately obvious that the repositories herein are visible to everyone.

Use a Private browser and go to: https://YOUR_GITLAB_INSTANCE/explore/projects

Does it contain more projects than you expect? Then you may want to periodically run this gitlab-find-pub-shared.sh script:

#!/bin/sh
# Complain if "public" projects are found outside the "pub" namespace.
# Complain if "internal" projects are found outside the "shared" namespace.

projects=$(su -l -s /bin/sh -c \
    "psql gitlabhq_production -tAF, -c \"select p.visibility_level as lvl, (coalesce(n2.path || '/', '') || n.path || '/' || p.path) as pth
    from projects p inner join namespaces n on n.id = p.namespace_id left join namespaces n2 on n2.id = n.parent_id order by pth, lvl;\"" postgres)

if test "$1" = "-v"; then  # verbose
    echo "$projects"
fi

echo "$projects" | while read -r line; do
    level=${line%%,*}
    path=${line#*,}
    namespace=${path%%/*}
    if test "$namespace" = "pub" && test $level -eq 20; then
        :
    elif test "$namespace" = "shared" && test $level -eq 10; then
        :
    elif test $level -eq 0; then
        :
    else
        echo "Unexpected level $level for $path" >&2
    fi
done

Additionally, any pipelines (CI/CD build logs) on your Public projects may also be visible to anyone. See Visibility of pipelines in GitLab projects. This may not be the best default.

To automatically ensure privacy there — Public pipelines set to FALSE — you can periodically run this gitlab-no-public-pipelines-build-logs.sh script:

#!/bin/sh
# Automatically set the "Public pipelines" (public_builds) to false for
# all projects. In GitLab 12 success/failure checkmarks are visible to
# anyone, but the contents of the logs/artifacts will not be.
su -l -s /bin/sh -c '\
    psql gitlabhq_production -tAF, -c \
    "update projects set public_builds = false where public_builds = true;"' \
    postgres >/dev/null

Back to overview Newer post: nss-dns4only / libc / disable AAAA lookups Older post: more or less useless tips and tricks 3