gitlab / securing public repositories
In the past, GitLab repositories were created with Public Visibility by default. Now they have a more sensible security setting. Still, it can be nice to assert that public repositories are not Public-by-Accident.
How? Well, one fix is to check that Public repositories are in a
whitelisted public namespace (e.g. /public/). That way it’s
immediately obvious that the repositories herein are visible to
everyone.
Use a Private browser and go to:
https://YOUR_GITLAB_INSTANCE/explore/projects
Does it contain more projects than you expect? Then you may want to
periodically run this gitlab-find-pub-shared.sh script:
#!/bin/sh
# Complain if "public" projects are found outside the "pub" namespace.
# Complain if "internal" projects are found outside the "shared" namespace.
projects=$(su -l -s /bin/sh -c \
"psql gitlabhq_production -tAF, -c \"select p.visibility_level as lvl, (coalesce(n2.path || '/', '') || n.path || '/' || p.path) as pth
from projects p inner join namespaces n on n.id = p.namespace_id left join namespaces n2 on n2.id = n.parent_id order by pth, lvl;\"" postgres)
if test "$1" = "-v"; then # verbose
echo "$projects"
fi
echo "$projects" | while read -r line; do
level=${line%%,*}
path=${line#*,}
namespace=${path%%/*}
if test "$namespace" = "pub" && test $level -eq 20; then
:
elif test "$namespace" = "shared" && test $level -eq 10; then
:
elif test $level -eq 0; then
:
else
echo "Unexpected level $level for $path" >&2
fi
done
Additionally, any pipelines (CI/CD build logs) on your Public projects may also be visible to anyone. See Visibility of pipelines in GitLab projects. This may not be the best default.
To automatically ensure privacy there — Public pipelines set to FALSE
— you can periodically run this
gitlab-no-public-pipelines-build-logs.sh script:
#!/bin/sh
# Automatically set the "Public pipelines" (public_builds) to false for
# all projects. In GitLab 12 success/failure checkmarks are visible to
# anyone, but the contents of the logs/artifacts will not be.
su -l -s /bin/sh -c '\
psql gitlabhq_production -tAF, -c \
"update projects set public_builds = false where public_builds = true;"' \
postgres >/dev/null