1

I have a repository on Gitlab with some commits on one branch as follows

A - B - C - D - HEAD

I mistakenly uploaded some secret token string on commit B, and I noticed later on, so I created a new branch from A then copied manually all files from commit D so history now looks like this

 /  - E - HEAD
A  - B  - C - D

Now what i did is to delete on Gitlab the branch BCD so those "token commits" are no longer accessible, and the history looks like

A - E - HEAD

However, I just noticed that I can still access the troublesome commits through Project -> Activity and seeing there my old pushes where the old commits are still accessible.

How can I completely delete those?

RabidTunes
  • 775
  • 1
  • 8
  • 21
  • For Github you need to delete the repository or contact support: https://stackoverflow.com/a/32840254/7976758 . For Gitlab it's probably the same. – phd Aug 10 '22 at 21:42
  • 2
    Why can't you change your current token to new one? So even if someone see your old token, he should not have chances to use it, because you will have new one. – kosist Aug 10 '22 at 21:51
  • As soon as you pushed, then for all intents and purposes the commits with your token should be treated as widely available, forever, and impossible for you to ever recover or delete. Invalidate the leaked token and generate a new one, and chalk this up as a learning experience regarding secret management. – Stephen Newell Aug 10 '22 at 23:10
  • 1
    @phd actually GitLab does offer pruning capabilities. There are some caveats but it's definitely very different than GitHub, AzureDevOps, and BitBucket, which AFAIK all pretty much keep commits forever unless you fully replace the repo or perhaps involve support. – TTT Aug 11 '22 at 02:43
  • Thanks for all the comments, yeah I thought I was being smart by changing the main branch and deleting the problematic commits, but seems like the easiest and more "correct" way of proceeding is to rotate the token i mistakenly uploaded. Btw this wasn't a security concern up until now because the repo was private but I was going to make it public soon then I noticed my mistake. – RabidTunes Aug 11 '22 at 06:34

1 Answers1

3

As you have noticed, GitLab holds onto git references in some circumstances, even if you delete those commits and force push over all your branches. Besides the activity page you mentioned, this will also include things like MR diffs, pipeline refs, and more.

This is also apparent when committing large files -- simply deleting the commits and force pushing won't reduce the project storage size!

To completely remove the contents from the GitLab project, you need to follow this guide for purging repository history. After you initiate the project cleanup by uploading the filter file, all the various commit references will be deleted and the contents are completely gone and inaccessible.

You may still see commit hashes and messages in the activity page, but the links will not show any of the contents of those commits because they have been deleted.

As noted in the docs:

This process is not suitable for removing sensitive data like password or keys from your repository. Information about commits, including file content, is cached in the database, and remain visible even after they have been removed from the repository.

So, as mentioned in this answer the first step you should take is to rotate your compromised credentials.

If it is important to you to completely remove even the commit messages and hashes in the activity page and database references, your only option would be to migrate/delete and re-create the project (after purging the git history). But this will also remove things like issues, merge requests, etc.

sytech
  • 29,298
  • 3
  • 45
  • 86
  • Thanks for the useful links, yeah seems like the best and easiest way is to rotate the token so it useless for people that see it instead of trying to rewrite git history – RabidTunes Aug 11 '22 at 06:35