Change Details

Per [[https://www.mediawiki.org/wiki/PhpStorm_project_security|mw:PhpStorm project security]], there is a security risk to opening unreviewed directories in PhpStorm if they contain PhpStorm or VCS configuration files. I suggest adding a global [[https://docs.gitlab.com/ee/user/project/repository/push_rules.html|push rule]] to our GitLab configuration which prevents such files from being uploaded by default. Suggested regexes: ``` (^|\/)\.(idea|git|svn|hg)\/ \.(ipr|iws|iml|gdsl)$ ``` Apparently slashes have to be escaped for some reason. The GitLab documentation states that projects may override global rules, which I think is fine. If a team really wants to share their .idea directory, they can do that as long as they have appropriate checks and access controls. The point is to prevent a surprise compromise on projects that don't normally share configuration. Gerrit search for affected files: * https://gerrit.wikimedia.org/r/q/path:%2522%255E.*%255C.(ipr%257Ciws%257Ciml%257Cgdsl)%2522 * https://gerrit.wikimedia.org/r/q/path:%2522%255E.*%255C.(idea%257Cgit%257Csvn%257Chg)/.*%2522 Not sure how to do that search in GitLab.

Per [[https://www.mediawiki.org/wiki/PhpStorm_project_security|mw:PhpStorm project security]], there is a security risk to opening unreviewed directories in PhpStorm if they contain PhpStorm or VCS configuration files. I suggest adding a global [[https://docs.gitlab.com/ee/user/project/repository/push_rules.html|push rule]] (Premium edition feature) to our GitLab configuration which prevents such files from being uploaded by default. Suggested regexes: ``` (^|\/)\.(idea|git|svn|hg)\/ \.(ipr|iws|iml|gdsl)$ ``` Apparently slashes have to be escaped for some reason. The GitLab documentation states that projects may override global rules, which I think is fine. If a team really wants to share their .idea directory, they can do that as long as they have appropriate checks and access controls. The point is to prevent a surprise compromise on projects that don't normally share configuration. Gerrit search for affected files: * https://gerrit.wikimedia.org/r/q/path:%2522%255E.*%255C.(ipr%257Ciws%257Ciml%257Cgdsl)%2522 * https://gerrit.wikimedia.org/r/q/path:%2522%255E.*%255C.(idea%257Cgit%257Csvn%257Chg)/.*%2522 Not sure how to do that search in GitLab.

Per [[https://www.mediawiki.org/wiki/PhpStorm_project_security|mw:PhpStorm project security]], there is a security risk to opening unreviewed directories in PhpStorm if they contain PhpStorm or VCS configuration files. I suggest adding a global [[https://docs.gitlab.com/ee/user/project/repository/push_rules.html|push rule]] (Premium edition feature) to our GitLab configuration which prevents such files from being uploaded by default. Suggested regexes: ``` (^|\/)\.(idea|git|svn|hg)\/ \.(ipr|iws|iml|gdsl)$ ``` Apparently slashes have to be escaped for some reason. The GitLab documentation states that projects may override global rules, which I think is fine. If a team really wants to share their .idea directory, they can do that as long as they have appropriate checks and access controls. The point is to prevent a surprise compromise on projects that don't normally share configuration. Gerrit search for affected files: * https://gerrit.wikimedia.org/r/q/path:%2522%255E.*%255C.(ipr%257Ciws%257Ciml%257Cgdsl)%2522 * https://gerrit.wikimedia.org/r/q/path:%2522%255E.*%255C.(idea%257Cgit%257Csvn%257Chg)/.*%2522 Not sure how to do that search in GitLab.