GitLab Integration Problem: Other sentry users can see private GitLab repositories when creating an GitLab Issue from within Sentry

[lennartdohmann]

Environment

self-hosted (https://develop.sentry.dev/self-hosted/)

Steps to Reproduce

1. Self-hosted sentry v24.3.0
2. Self-hosted GitLab Enterprise Edition v16.10.1-ee
3. Sentry - GitLab Integration with whole GitLab instance connected
4. In the right-hand bar on any Issue on Issue Tracking click on GitLab Issue +
5. In the GitLab Project drop down menu, any user is able to see any repository inside the GitLab instance (private user repositories, private repositories of any groups, etc.), even that not explicitly added in the integrations settings

Expected Result

Of course, by linking an entire GitLab instance of an admin user, Sentry has API access to all groups, repositories and projects, but I would expect that this would not allow other Sentry users to see what repositories etc. are in the entire GitLab instance, especially if they are private or from private groups.

I would have expected that the selection of projects in which you can create a GitLab issue from a Sentry issue are either the GitLab projects that you have mapped to the Sentry projects in the integration settings, or you can set which GitLab projects can be selected by which Sentry team/user. Especially because there is already a project selection and also a mapping of GitLab projects to Sentry projects in the integration settings.

Maybe I just overlooked some setting, did something wrong with the integration or didn't think of any meaningful reason for it. I am grateful for any help to create a little more privacy towards the GitLab instance at this point.

Actual Result

The following drop down menu in the project selection of creating a GitLab-Issue from within a Sentry Issue shows all repositories inside the GitLab instance, not only those that have been added to Sentry in the integration settings, and not only the GitLab projects that have been mapped to Sentry projects in the integration settings.

Product Area

Issues

Link

No response

DSN

No response

Version

24.3.0

[getsantry[bot]]

Assigning to @getsentry/support for routing ⏲️

[azaslavsky]

I think this may be a problem with the mainline integration - will refer there to see what's going on.

[getsantry[bot]]

Assigning to @getsentry/support for routing ⏲️

[getsantry[bot]]

Routing to @getsentry/product-owners-settings-integrations for triage ⏲️

[sentaur-athena]

@lennartdohmann to clarify, when adding repos to sentry, you setup sentry for all the repos but on gitlab some of your org members don't have access to some of the repos, and you want to keep it that way in Sentry. Can you confirm this?

[lennartdohmann]

@lennartdohmann to clarify, when adding repos to sentry, you setup sentry for all the repos but on gitlab some of your org members don't have access to some of the repos, and you want to keep it that way in Sentry. Can you confirm this?

Yes, I can confirm this. The members in Sentry can see everything in GitLab in the drop-down menu, instead of just the projects selected for them.

[sentaur-athena]

@lennartdohmann when you add repos to Sentry, if you add all of them you are giving access to all of them in the org. Sentry doesn't manage or read the access on gitlab repos. I will add this as a feature request to our backlog.