So I made a Gitlab account on gitlab.com on Saturday the 19th and a repo for my new project (empty thus-far). I made it private so I didn’t think anyone would be able to access it: https://gitlab.com/JosephXylon/tidytask
This morning 29 Spam Issues and 29 Spam Merge Requests have appeared on my repo appearing to have been created by my own account. And they are dated 2 months ago before my account or this repo existed. I even checked my account activity and it has hundreds of actions all dated Sept 25th?
My first thought was that my account had been compromised but i can’t imagine how that would happen as I use strong passwords and have only logged in from one, fully patched computer.
The comments are all Latin Lorum Ipsum and include links to localhost URLs.
My SSH key is 4096 bit RSA and I have never exposed the private key to my knowledge. And my private key is even password-protected using very strong password too.
Just a quick question. How did you create the project? Did you use the “create from template” option, and then sample gitlab project?
Because I just did that right now, and gives me 29 open issues, with lorem ipsum data. Better would have been to choose the option “create blank project”.
This looks just like a ham-handed “crack” of the repo, and I just filed a security case at work.
I recommend you make this a P1 bug and work quickly to make it go away: it almost became a P1 security incident at my employer when gitlab sent me an email saying that one of the issues was open for over a year … in a repo I created late last week.
If you used the create from template option then what did you expect when it’s filled with a load of example data? Maybe you should have created an empty project instead?
The problem is not Gitlab, but the way you created the project.
I thought the templating failed, as I expected what I was looking at to contain the promised example, That’s unlike commercial tools like intellij, for example.
At Sun, we referred to this as “accidentally leaving land-mines for your colleagues to find”, and we tried hard to not do it. Of course, we sometimes did, but when we heard a loud boom and saw one of our colleagues flying through the air, we knew we had something to fix (;-))
