Some weeks ago I accidentally committed a configuration file containing some passwords and I pushed it on a GitLab remote.
After that I used BFG Repo-Cleaner to remove the passwords from the history.
After the clean I executed:
git reflog expire --expire=now --all && git gc --prune=now --aggressive git push --force
I seen the commit hashes have been changed and sensitive data has been removed (I can see that both using the GitLab web interface or exploring a new clone of the repo).
However, if I access one of the old pages calling directly the URL (
https://<my-company>/gitlab/test-bfg/commit/<theoretically-unexisting-hash>) I can see a gitdiff of a commit containing the passwords! I discovered this accidentally, navigating on the browser history.
If I try to checkout the same hash on the just cloned repo I obtain this message:
fatal: reference is not a tree: d7fb999c...
So, if a person clone that repo from GitLab I think he or she is not able to view that commit, however it is still visible from the web interface, if one could guess an old hash.
From GitHub help about removing sensitive data I read:
commits may still be accessible […] hashes in cached views on GitHub. […] you can permanently remove all of your repository’s cached views and pull requests on GitHub by contacting GitHub Support.
So, if this behavior is due to the same issue described in GitHub help, how can I delete my cached views from GitLab?
P.S. Repo is currently private but we want to make it public, so passwords are not compromised at the moment.